{ "summary": { "snap": { "added": [], "removed": [], "diff": [ "snapd", "lxd" ] }, "deb": { "added": [ "linux-headers-6.8.0-49-generic", "linux-image-6.8.0-49-generic", "linux-modules-6.8.0-49-generic", "linux-riscv-6.8-headers-6.8.0-49", "python3-packaging", "u-boot-menu" ], "removed": [ "linux-headers-6.8.0-44-generic", "linux-image-6.8.0-44-generic", "linux-modules-6.8.0-44-generic", "linux-riscv-6.8-headers-6.8.0-44", "netplan-generator", "python3-netplan" ], "diff": [ "curl", "distro-info-data", "libarchive13:riscv64", "libcurl3-gnutls:riscv64", "libcurl4:riscv64", "libglib2.0-0:riscv64", "libglib2.0-bin", "libglib2.0-data", "libmodule-scandeps-perl", "libnetplan0:riscv64", "libpython3.10:riscv64", "libpython3.10-minimal:riscv64", "libpython3.10-stdlib:riscv64", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "nano", "needrestart", "netplan.io", "python3-twisted", "python3-urllib3", "python3.10", "python3.10-minimal", "snapd", "sosreport", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.18", "version": "7.81.0-1ubuntu1.18" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.19", "version": "7.81.0-1ubuntu1.19" }, "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.", " - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname", " comparison in lib/hsts.c.", " - CVE-2024-9681", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 10:54:59 -0330" } ], "notes": null }, { "name": "distro-info-data", "from_version": { "source_package_name": "distro-info-data", "source_package_version": "0.52ubuntu0.7", "version": "0.52ubuntu0.7" }, "to_version": { "source_package_name": "distro-info-data", "source_package_version": "0.52ubuntu0.8", "version": "0.52ubuntu0.8" }, "cves": [], "launchpad_bugs_fixed": [ 2084572 ], "changes": [ { "cves": [], "log": [ "", " * Add Ubuntu 25.04 \"Plucky Puffin\" (LP: #2084572)", "" ], "package": "distro-info-data", "version": "0.52ubuntu0.8", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084572 ], "author": "Benjamin Drung ", "date": "Thu, 17 Oct 2024 12:43:19 +0200" } ], "notes": null }, { "name": "libarchive13:riscv64", "from_version": { "source_package_name": "libarchive", "source_package_version": "3.6.0-1ubuntu1.1", "version": "3.6.0-1ubuntu1.1" }, "to_version": { "source_package_name": "libarchive", "source_package_version": "3.6.0-1ubuntu1.3", "version": "3.6.0-1ubuntu1.3" }, "cves": [ { "cve": "CVE-2024-20696", "url": "https://ubuntu.com/security/CVE-2024-20696", "cve_description": "Windows libarchive Remote Code Execution Vulnerability", "cve_priority": "medium", "cve_public_date": "2024-01-09 18:15:00 UTC" }, { "cve": "CVE-2022-36227", "url": "https://ubuntu.com/security/CVE-2022-36227", "cve_description": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"", "cve_priority": "low", "cve_public_date": "2022-11-22 02:15:00 UTC" }, { "cve": "CVE-2024-48957", "url": "https://ubuntu.com/security/CVE-2024-48957", "cve_description": "execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.", "cve_priority": "medium", "cve_public_date": "2024-10-10 02:15:00 UTC" }, { "cve": "CVE-2024-48958", "url": "https://ubuntu.com/security/CVE-2024-48958", "cve_description": "execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.", "cve_priority": "medium", "cve_public_date": "2024-10-10 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-20696", "url": "https://ubuntu.com/security/CVE-2024-20696", "cve_description": "Windows libarchive Remote Code Execution Vulnerability", "cve_priority": "medium", "cve_public_date": "2024-01-09 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: code execution via negative copy length", " - debian/patches/CVE-2024-20696.patch: protect", " copy_from_lzss_window_to_unp() in", " libarchive/archive_read_support_format_rar.c.", " - CVE-2024-20696", "" ], "package": "libarchive", "version": "3.6.0-1ubuntu1.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 29 Oct 2024 10:03:06 +0100" }, { "cves": [ { "cve": "CVE-2022-36227", "url": "https://ubuntu.com/security/CVE-2022-36227", "cve_description": "In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: \"In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.\"", "cve_priority": "low", "cve_public_date": "2022-11-22 02:15:00 UTC" }, { "cve": "CVE-2024-48957", "url": "https://ubuntu.com/security/CVE-2024-48957", "cve_description": "execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.", "cve_priority": "medium", "cve_public_date": "2024-10-10 02:15:00 UTC" }, { "cve": "CVE-2024-48958", "url": "https://ubuntu.com/security/CVE-2024-48958", "cve_description": "execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst.", "cve_priority": "medium", "cve_public_date": "2024-10-10 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference", " - debian/patches/CVE-2022-36227.patch: Add NULL check in archive_write", " functions", " - CVE-2022-36227", " * SECURITY UPDATE: Out of bounds access", " - debian/patches/CVE-2024-48957.patch: check dst isn't less than or", " equal to src in execute_filter_audio", " - CVE-2024-48957", " * SECURITY UPDATE: Out of bounds access", " - debian/patches/CVE-2024-48958.patch: check dst isn't less than or", " equal to src in execute_filter_delta", " - CVE-2024-48958", "" ], "package": "libarchive", "version": "3.6.0-1ubuntu1.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 14 Oct 2024 12:03:12 +1100" } ], "notes": null }, { "name": "libcurl3-gnutls:riscv64", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.18", "version": "7.81.0-1ubuntu1.18" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.19", "version": "7.81.0-1ubuntu1.19" }, "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.", " - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname", " comparison in lib/hsts.c.", " - CVE-2024-9681", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 10:54:59 -0330" } ], "notes": null }, { "name": "libcurl4:riscv64", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.18", "version": "7.81.0-1ubuntu1.18" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.19", "version": "7.81.0-1ubuntu1.19" }, "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9681", "url": "https://ubuntu.com/security/CVE-2024-9681", "cve_description": "When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure `HTTP://` scheme and perform transfers with hosts like `x.example.com` as well as `example.com` where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When `x.example.com` responds with `Strict-Transport-Security:` headers, this bug can make the subdomain's expiry timeout *bleed over* and get set for the parent domain `example.com` in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to `example.com` get converted to HTTPS for a different period of time than what was asked for by the origin server. If `example.com` for example stops supporting HTTPS at its expiry time, curl might then fail to access `http://example.com` until the (wrongly set) timeout expires. This bug can also expire the parent's entry *earlier*, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.", "cve_priority": "low", "cve_public_date": "2024-11-06 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HSTS expiry overwrites parent cache entry.", " - debian/patches/CVE-2024-9681.patch: Add bestsub, blen, and hostname", " comparison in lib/hsts.c.", " - CVE-2024-9681", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 10:54:59 -0330" } ], "notes": null }, { "name": "libglib2.0-0:riscv64", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.3", "version": "2.72.4-0ubuntu2.3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.4", "version": "2.72.4-0ubuntu2.4" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:54:48 -0300" } ], "notes": null }, { "name": "libglib2.0-bin", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.3", "version": "2.72.4-0ubuntu2.3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.4", "version": "2.72.4-0ubuntu2.4" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:54:48 -0300" } ], "notes": null }, { "name": "libglib2.0-data", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.3", "version": "2.72.4-0ubuntu2.3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.72.4-0ubuntu2.4", "version": "2.72.4-0ubuntu2.4" }, "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-52533", "url": "https://ubuntu.com/security/CVE-2024-52533", "cve_description": "gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\\0' character.", "cve_priority": "medium", "cve_public_date": "2024-11-11 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer overflow", " - debian/patches/CVE-2024-52533.patch: fix a single byte buffer", " overflow in connect messages in gio/gsocks4aproxy.c.", " - CVE-2024-52533", "" ], "package": "glib2.0", "version": "2.72.4-0ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Leonidas Da Silva Barbosa ", "date": "Wed, 13 Nov 2024 14:54:48 -0300" } ], "notes": null }, { "name": "libmodule-scandeps-perl", "from_version": { "source_package_name": "libmodule-scandeps-perl", "source_package_version": "1.31-1", "version": "1.31-1" }, "to_version": { "source_package_name": "libmodule-scandeps-perl", "source_package_version": "1.31-1ubuntu0.1", "version": "1.31-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2024-10224", "url": "https://ubuntu.com/security/CVE-2024-10224", "cve_description": "Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a \"pesky pipe\" (such as passing \"commands|\" as a filename) or by passing arbitrary strings to eval().", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10224", "url": "https://ubuntu.com/security/CVE-2024-10224", "cve_description": "Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a \"pesky pipe\" (such as passing \"commands|\" as a filename) or by passing arbitrary strings to eval().", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: parsing untrusted code", " - d/p/CVE-2024-10224/0001-use-three-argument-open.patch: use a", " three-argument open() alternative", " - d/p/CVE-2024-10224/0002-replace-eval-.-constructs.patch: replace eval ", " with parsing the code instead", " - d/p/CVE-2024-10224/0003-fix-parsing-of-use-if.patch: fix parsing of use", " if statements", " - CVE-2024-10224", "" ], "package": "libmodule-scandeps-perl", "version": "1.31-1ubuntu0.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Sudhakar Verma ", "date": "Mon, 18 Nov 2024 23:01:20 +0530" } ], "notes": null }, { "name": "libnetplan0:riscv64", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.1", "version": "0.107.1-3ubuntu0.22.04.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.4", "version": "0.106.1-7ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "libpython3.10:riscv64", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "libpython3.10-minimal:riscv64", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "libpython3.10-stdlib:riscv64", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.44.44.1~22.04.1", "version": "6.8.0.44.44.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.49.49.1~22.04.1", "version": "6.8.0.49.49.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-49.49.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.49.49.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Thu, 07 Nov 2024 13:27:15 +0100" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-48.48.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.48.48.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Mon, 14 Oct 2024 18:27:26 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-47.47.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.47.47.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Wed, 09 Oct 2024 17:07:29 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-45.45.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Mon, 02 Sep 2024 11:50:52 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.44.44.1~22.04.1", "version": "6.8.0.44.44.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.49.49.1~22.04.1", "version": "6.8.0.49.49.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-49.49.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.49.49.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Thu, 07 Nov 2024 13:27:15 +0100" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-48.48.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.48.48.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Mon, 14 Oct 2024 18:27:26 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-47.47.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.47.47.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Wed, 09 Oct 2024 17:07:29 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-45.45.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Mon, 02 Sep 2024 11:50:52 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.44.44.1~22.04.1", "version": "6.8.0.44.44.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.49.49.1~22.04.1", "version": "6.8.0.49.49.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-49.49.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.49.49.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Thu, 07 Nov 2024 13:27:15 +0100" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-48.48.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.48.48.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Mon, 14 Oct 2024 18:27:26 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-47.47.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.47.47.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Wed, 09 Oct 2024 17:07:29 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-45.45.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Mon, 02 Sep 2024 11:50:52 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.44.44.1~22.04.1", "version": "6.8.0.44.44.1~22.04.1" }, "to_version": { "source_package_name": "linux-meta-riscv-6.8", "source_package_version": "6.8.0.49.49.1~22.04.1", "version": "6.8.0.49.49.1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 6.8.0-49.49.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.49.49.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Thu, 07 Nov 2024 13:27:15 +0100" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-48.48.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.48.48.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Mon, 14 Oct 2024 18:27:26 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-47.47.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.47.47.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Wed, 09 Oct 2024 17:07:29 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 6.8.0-45.45.1~22.04", "" ], "package": "linux-meta-riscv-6.8", "version": "6.8.0.45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Mon, 02 Sep 2024 11:50:52 +0200" } ], "notes": null }, { "name": "nano", "from_version": { "source_package_name": "nano", "source_package_version": "6.2-1", "version": "6.2-1" }, "to_version": { "source_package_name": "nano", "source_package_version": "6.2-1ubuntu0.1", "version": "6.2-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2024-5742", "url": "https://ubuntu.com/security/CVE-2024-5742", "cve_description": "A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.", "cve_priority": "low", "cve_public_date": "2024-06-12 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-5742", "url": "https://ubuntu.com/security/CVE-2024-5742", "cve_description": "A vulnerability was found in GNU Nano that allows a possible privilege escalation through an insecure temporary file. If Nano is killed while editing, a file it saves to an emergency file with the permissions of the running user provides a window of opportunity for attackers to escalate privileges through a malicious symlink.", "cve_priority": "low", "cve_public_date": "2024-06-12 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Emergency file could be replaced by a malicious symlink.", " - debian/patches/CVE-2024-5742.patch: Use fchmod and fchown in write_file()", " in src/files.c instead of using chmod and chown in emergency_save() in", " src/nano.c. Add EMERGENCY write type in kind_of_writing_type enum in", " src/definitions.h. Update fd in write_file() in src/files.c. Based on", " upstream.", " - CVE-2024-5742", "" ], "package": "nano", "version": "6.2-1ubuntu0.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 10 Oct 2024 11:09:30 -0230" } ], "notes": null }, { "name": "needrestart", "from_version": { "source_package_name": "needrestart", "source_package_version": "3.5-5ubuntu2.1", "version": "3.5-5ubuntu2.1" }, "to_version": { "source_package_name": "needrestart", "source_package_version": "3.5-5ubuntu2.4", "version": "3.5-5ubuntu2.4" }, "cves": [ { "cve": "CVE-2024-48990", "url": "https://ubuntu.com/security/CVE-2024-48990", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48991", "url": "https://ubuntu.com/security/CVE-2024-48991", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system's real Python interpreter). The initial security fix (6ce6136) introduced a regression which was subsequently resolved (42af5d3).", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48992", "url": "https://ubuntu.com/security/CVE-2024-48992", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-11003", "url": "https://ubuntu.com/security/CVE-2024-11003", "cve_description": "Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps.", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2089193, 2089193 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: false positives for killing processes in LXC", " (LP: #2089193)", " - debian/patches/lp2091096/0021-fix-lxc-fp.patch: use the value of exe", " to check for obsolete processes when exec is undefined ", "" ], "package": "needrestart", "version": "3.5-5ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2089193 ], "author": "Sudhakar Verma ", "date": "Thu, 05 Dec 2024 17:28:38 +0530" }, { "cves": [], "log": [ "", " * SECURITY REGRESSION: false positives for killing processes (LP: #2089193)", " - debian/patches/lp2089193/0020-fix-chroot-mountns-fp.patch: ignore check", " for obsolete processes in chrooted or containerized processes", "" ], "package": "needrestart", "version": "3.5-5ubuntu2.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2089193 ], "author": "Sudhakar Verma ", "date": "Tue, 26 Nov 2024 10:48:34 +0530" }, { "cves": [ { "cve": "CVE-2024-48990", "url": "https://ubuntu.com/security/CVE-2024-48990", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48991", "url": "https://ubuntu.com/security/CVE-2024-48991", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system's real Python interpreter). The initial security fix (6ce6136) introduced a regression which was subsequently resolved (42af5d3).", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48992", "url": "https://ubuntu.com/security/CVE-2024-48992", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-11003", "url": "https://ubuntu.com/security/CVE-2024-11003", "cve_description": "Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps.", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect usage of PYTHONPATH environment variable", " - debian/patches/CVE-2024-48990.patch: chdir to a clean directory ", " to avoid loading arbirary objects, sanitize PYTHONPATH before", " spawning a new python interpreter", " - CVE-2024-48990", " * SECURITY UPDATE: race condition for checking path to python", " - debian/patches/CVE-2024-48991.patch: sync path for both check", " and usage for python interpreter", " - CVE-2024-48991", " * SECURITY UPDATE: incorrect usage of RUBYLIB environment variable", " - debian/patches/CVE-2024-48992.patch: chdir to a clean directory", " to avoid loading arbirary objects, sanitize RUBYLIB before", " spawning a new ruby interpreter", " - CVE-2024-48992", " * SECURITY UPDATE: incorrect usage of Perl ScanDeps", " - debian/patches/CVE-2024-11003.patch: remove usage of ScanDeps", " to avoid parsing arbitrary code", " - CVE-2024-11003 ", "" ], "package": "needrestart", "version": "3.5-5ubuntu2.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Sudhakar Verma ", "date": "Mon, 18 Nov 2024 13:51:23 +0530" } ], "notes": null }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.1", "version": "0.107.1-3ubuntu0.22.04.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.106.1-7ubuntu0.22.04.4", "version": "0.106.1-7ubuntu0.22.04.4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "python3-twisted", "from_version": { "source_package_name": "twisted", "source_package_version": "22.1.0-2ubuntu2.5", "version": "22.1.0-2ubuntu2.5" }, "to_version": { "source_package_name": "twisted", "source_package_version": "22.1.0-2ubuntu2.6", "version": "22.1.0-2ubuntu2.6" }, "cves": [ { "cve": "CVE-2024-41671", "url": "https://ubuntu.com/security/CVE-2024-41671", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-41671", "url": "https://ubuntu.com/security/CVE-2024-41671", "cve_description": "Twisted is an event-based framework for internet applications, supporting Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in information disclosure. This vulnerability is fixed in 24.7.0rc1.", "cve_priority": "medium", "cve_public_date": "2024-07-29 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Out-of-order HTTP request processing.", " - debian/patches/CVE-2024-41671-*.patch: Move self.allContentReceived()", " after self._dataBuffer.append(data) in src/twisted/web/http.py. Add", " tests.", " - CVE-2024-41671", "" ], "package": "twisted", "version": "22.1.0-2ubuntu2.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Fri, 22 Nov 2024 14:19:41 -0330" } ], "notes": null }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.1", "version": "1.26.5-1~exp1ubuntu0.1" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.2", "version": "1.26.5-1~exp1ubuntu0.2" }, "cves": [ { "cve": "CVE-2024-37891", "url": "https://ubuntu.com/security/CVE-2024-37891", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", "cve_priority": "low", "cve_public_date": "2024-06-17 20:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-37891", "url": "https://ubuntu.com/security/CVE-2024-37891", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it's possible to accidentally configure the `Proxy-Authorization` header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3's built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3's `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.", "cve_priority": "low", "cve_public_date": "2024-06-17 20:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: The Proxy-Authorization header is not correctly stripped", " when redirecting to a different host.", " - debian/patches/CVE-2024-37891.patch: Add \"Proxy-Authorization\" to", " DEFAULT_REMOVE_HEADERS_ON_REDIRECT in src/urllib3/util/retry.py. Add", " header to tests.", " - CVE-2024-37891", "" ], "package": "python-urllib3", "version": "1.26.5-1~exp1ubuntu0.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 17 Oct 2024 10:19:08 -0230" } ], "notes": null }, { "name": "python3.10", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "python3.10-minimal", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.7", "version": "3.10.12-1~22.04.7" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.7", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 15:22:13 -0500" } ], "notes": null }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.63+22.04ubuntu0.1", "version": "2.63+22.04ubuntu0.1" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.66.1+22.04", "version": "2.66.1+22.04" }, "cves": [], "launchpad_bugs_fixed": [ 2083490, 2083490, 2077473, 2077473, 2077473, 2077473, 2072986, 2061179 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2083490", " - AppArmor prompting (experimental): Fix kernel prompting support", " check", " - Allow kernel snaps to have content slots", " - Fix ignoring snaps in try mode when amending", "" ], "package": "snapd", "version": "2.66.1+22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2083490 ], "author": "Ernest Lotter ", "date": "Fri, 11 Oct 2024 10:05:46 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2083490", " - AppArmor prompting (experimental): expand kernel support checks", " - AppArmor prompting (experimental): consolidate error messages and", " add error kinds", " - AppArmor prompting (experimental): grant /v2/snaps/{name} via", " snap-interfaces-requests-control", " - AppArmor prompting (experimental): add checks for duplicate", " pattern variants", " - Registry views (experimental): add handlers that commit (and", " cleanup) registry transactions", " - Registry views (experimental): add a snapctl fail command for", " rejecting registry transactions", " - Registry views (experimental): allow custodian snaps to implement", " registry hooks that modify and save registry data", " - Registry views (experimental): run view-changed hooks only for", " snaps plugging views affected by modified paths", " - Registry views (experimental): make registry transactions", " serialisable", " - Snap components: handle refreshing components to revisions that", " have been on the system before", " - Snap components: enable creating Ubuntu Core images that contain", " components", " - Snap components: handle refreshing components independently of", " snaps", " - Snap components: handle removing components when refreshing a snap", " that no longer defines them", " - Snap components: extend snapd Ubuntu Core installation API to", " allow for picking optional snaps and components to install", " - Snap components: extend kernel.yaml with \"dynamic-modules\",", " allowing kernel to define a location for kmods from component", " hooks", " - Snap components: renamed component type \"test\" to \"standard\"", " - Desktop IDs: support installing desktop files with custom names", " based on desktop-file-ids desktop interface plug attr", " - Auto-install snapd on classic systems as prerequisite for any non-", " essential snap install", " - Support loading AppArmor profiles on WSL2 with non-default kernel", " and securityfs mounted", " - Debian/Fedora packaging updates", " - Add snap debug command for investigating execution aspects of the", " snap toolchain", " - Improve snap pack error for easier parsing", " - Add support for user services when refreshing snaps", " - Add snap remove --terminate flag for terminating running snap", " processes", " - Support building FIPS complaint snapd deb and snap", " - Fix to not use nss when looking up for users/groups from snapd", " snap", " - Fix ordering in which layout changes are saved", " - Patch snapd snap dynamic linker to ignore LD_LIBRARY_PATH and", " related variables", " - Fix libexec dir for openSUSE Slowroll", " - Fix handling of the shared snap directory for parallel installs", " - Allow writing to /run/systemd/journal/dev-log by default", " - Avoid state lock during snap removal to avoid delaying other snapd", " operations", " - Add nomad-support interface to enable running Hashicorp Nomad", " - Add intel-qat interface", " - u2f-devices interface: add u2f trustkey t120 product id and fx", " series fido u2f devices", " - desktop interface: improve integration with xdg-desktop-portal", " - desktop interface: add desktop-file-ids plug attr to desktop", " interface", " - unity7 interface: support desktop-file-ids in desktop files rule", " generation", " - desktop-legacy interface: support desktop-file-ids in desktop", " files rule generation", " - desktop-legacy interface: grant access to gcin socket location", " - login-session-observe interface: allow introspection", " - custom-device interface: allow to explicitly identify matching", " device in udev tagging block", " - system-packages-doc interface: allow reading /usr/share/javascript", " - modem-manager interface: add new format of WWAN ports", " - pcscd interface: allow pcscd to read opensc.conf", " - cpu-control interface: add IRQ affinity control to cpu_control", " - opengl interface: add support for cuda workloads on Tegra iGPU in", " opengl interface", "" ], "package": "snapd", "version": "2.66", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2083490 ], "author": "Ernest Lotter ", "date": "Fri, 04 Oct 2024 14:22:03 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Fix missing aux info from store on snap setup", "" ], "package": "snapd", "version": "2.65.3", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Thu, 12 Sep 2024 09:40:17 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Bump squashfuse from version 0.5.0 to 0.5.2 (used in snapd deb", " only)", "" ], "package": "snapd", "version": "2.65.2", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Fri, 06 Sep 2024 17:08:45 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to latest 4.0.2 release", " - AppArmor: enable using ABI 4.0 from host parser", " - AppArmor: fix parser lookup", " - AppArmor: support AppArmor snippet priorities", " - AppArmor: allow reading cgroup memory.max file", " - AppArmor: allow using snap-exec coming from the snapd snap when", " starting a confined process with jailmode", " - AppArmor prompting (experimental): add checks for prompting", " support, include prompting status in system key, and restart snapd", " if prompting flag changes", " - AppArmor prompting (experimental): include prompt prefix in", " AppArmor rules if prompting is supported and enabled", " - AppArmor prompting (experimental): add common types, constraints,", " and mappings from AppArmor permissions to abstract permissions", " - AppArmor prompting (experimental): add path pattern parsing and", " matching", " - AppArmor prompting (experimental): add path pattern precedence", " based on specificity", " - AppArmor prompting (experimental): add packages to manage", " outstanding request prompts and rules", " - AppArmor prompting (experimental): add prompting API and notice", " types, which require snap-interfaces-requests-control interface", " - AppArmor prompting (experimental): feature flag can only be", " enabled if prompting is supported, handler service connected, and", " the service can be started", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views and", " setting/unsetting registry data using snapctl", " - Registry views (experimental): fetch and refresh registry", " assertions as needed", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store", " - Snap components: support removing components individually and", " during snap removal", " - Snap components: support kernel modules as components", " - Snap components: support for component install, pre-refresh and", " post-refresh hooks", " - Snap components: initial support for building systems that contain", " components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Improve snap-confine compatibility with nvidia drivers", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Allow mixing revision and channel on snap install", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug API command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Add options system.coredump.enable and system.coredump.maxuse to", " support using systemd-coredump on Ubuntu Core", " - Provide documentation URL for 'snap interface '", " - Fix snapd riscv64 build", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Fix parsing /proc/PID/mounts with spaces", " - Add registry interface that provides snaps access to a particular", " registry view", " - Add snap-interfaces-requests-control interface to enable prompting", " client snaps", " - steam-support interface: remove all AppArmor and seccomp", " restrictions to improve user experience", " - opengl interface: improve compatibility with nvidia drivers", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", " - network-control interface: allow wpa_supplicant dbus api", " - gpio-control interface: support gpiochip* devices", " - polkit interface: fix \"rw\" mount option check", " - u2f-devices interface: enable additional security keys", " - desktop interface: enable kde theming support", "" ], "package": "snapd", "version": "2.65.1", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Sat, 24 Aug 2024 10:31:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to latest 4.0.2 release", " - AppArmor: enable using ABI 4.0 from host parser", " - AppArmor: fix parser lookup", " - AppArmor: support AppArmor snippet priorities", " - AppArmor: allow reading cgroup memory.max file", " - AppArmor: allow using snap-exec coming from the snapd snap when", " starting a confined process with jailmode", " - AppArmor prompting (experimental): add checks for prompting", " support, include prompting status in system key, and restart snapd", " if prompting flag changes", " - AppArmor prompting (experimental): include prompt prefix in", " AppArmor rules if prompting is supported and enabled", " - AppArmor prompting (experimental): add common types, constraints,", " and mappings from AppArmor permissions to abstract permissions", " - AppArmor prompting (experimental): add path pattern parsing and", " matching", " - AppArmor prompting (experimental): add path pattern precedence", " based on specificity", " - AppArmor prompting (experimental): add packages to manage", " outstanding request prompts and rules", " - AppArmor prompting (experimental): add prompting API and notice", " types, which require snap-interfaces-requests-control interface", " - AppArmor prompting (experimental): feature flag can only be", " enabled if prompting is supported, handler service connected, and", " the service can be started", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views and", " setting/unsetting registry data using snapctl", " - Registry views (experimental): fetch and refresh registry", " assertions as needed", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store", " - Snap components: support removing components individually and", " during snap removal", " - Snap components: support kernel modules as components", " - Snap components: support for component install, pre-refresh and", " post-refresh hooks", " - Snap components: initial support for building systems that contain", " components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Improve snap-confine compatibility with nvidia drivers", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Allow mixing revision and channel on snap install", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug API command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Add options system.coredump.enable and system.coredump.maxuse to", " support using systemd-coredump on Ubuntu Core", " - Provide documentation URL for 'snap interface '", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Fix parsing /proc/PID/mounts with spaces", " - Add registry interface that provides snaps access to a particular", " registry view", " - Add snap-interfaces-requests-control interface to enable prompting", " client snaps", " - steam-support interface: remove all AppArmor and seccomp", " restrictions to improve user experience", " - opengl interface: improve compatibility with nvidia drivers", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", " - network-control interface: allow wpa_supplicant dbus api", " - gpio-control interface: support gpiochip* devices", " - polkit interface: fix \"rw\" mount option check", " - u2f-devices interface: enable additional security keys", " - desktop interface: enable kde theming support", "" ], "package": "snapd", "version": "2.65", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Fri, 23 Aug 2024 08:49:28 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2072986", " - Support building snapd using base Core22 (Snapcraft 8.x)", " - FIPS: support building FIPS complaint snapd variant that switches", " to FIPS mode when the system boots with FIPS enabled", " - AppArmor: update to AppArmor 4.0.1", " - AppArmor: support AppArmor snippet priorities", " - AppArmor prompting: add checks for prompting support, include", " prompting status in system key, and restart snapd if prompting", " flag changes", " - AppArmor prompting: include prompt prefix in AppArmor rules if", " prompting is supported and enabled", " - AppArmor prompting: add common types, constraints, and mappings", " from AppArmor permissions to abstract permissions", " - AppArmor prompting: add path pattern parsing and matching", " - Registry views (experimental): rename from aspects to registries", " - Registry views (experimental): support reading registry views", " using snapctl", " - Registry views (experimental): restrict view paths from using a", " number as first character and view names to storage path style", " patterns", " - Snap components: support installing snaps and components from", " files at the same time (no REST API/CLI)", " - Snap components: support downloading components related assertions", " from the store", " - Snap components: support installing components from the store (no", " REST API/CLI)", " - Snap components: support removing components (REST API, no CLI)", " - Snap components: started support for component hooks", " - Snap components: support kernel modules as components", " - Refresh app awareness (experimental): add data field for", " /v2/changes REST API to allow associating each task with affected", " snaps", " - Refresh app awareness (experimental): use the app name from", " .desktop file in notifications", " - Refresh app awareness (experimental): give snap-refresh-observe", " interface access to /v2/snaps/{name} endpoint", " - Allow re-exec when SNAP_REEXEC is set for unlisted distros to", " simplify testing", " - Generate GNU build ID for Go binaries", " - Add missing etelpmoc.sh for shell completion", " - Do not attempt to run snapd on classic when re-exec is disabled", " - Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse", " - Add snap debug api command to enable running raw queries", " - Enable snap-confine snap mount directory detection", " - Replace global seccomp filter with deny rules in standard seccomp", " template", " - Remove support for Ubuntu Core Launcher (superseded by snap-", " confine)", " - Support creating pending serial bound users after serial assertion", " becomes available", " - Support disabling cloud-init using kernel command-line", " - In hybrid systems, apps can refresh without waiting for restarts", " required by essential snaps", " - Ship snap-debug-info.sh script used for system diagnostics", " - Improve error messages when attempting to run non-existent snap", " - Switch to -u UID:GID for strace-static", " - Support enabling snapd logging with snap set system", " debug.snapd.{log,log-level}", " - Fix restarting activated services instead of their activator units", " (i.e. sockets, timers)", " - Fix potential unexpected auto-refresh of snap on managed schedule", " - Fix potential segfault by guarding against kernel command-line", " changes on classic system", " - Fix proxy entries in /etc/environment with missing newline that", " caused later manual entries to not be usable", " - Fix offline remodelling by ignoring prerequisites that will", " otherwise be downloaded from store", " - Fix devmode seccomp deny regression that caused spamming the log", " instead of actual denies", " - Fix snap lock leak during refresh", " - Fix not re-pinning validation sets that were already pinned when", " enforcing new validation sets", " - Fix handling of unexpected snapd runtime failure", " - Fix /v2/notices REST API skipping notices with duplicate", " timestamps", " - Fix comparing systemd versions that may contain pre-release", " suffixes", " - Fix udev potentially starting before snap-device-helper is made", " available", " - Fix race in snap seed metadata loading", " - Fix treating cloud-init exit status 2 as error", " - Fix to prevent sending refresh complete notification if snap snap-", " refresh-observe interface is connected", " - Fix to queue snapctl service commands if run from the default-", " configure hook to ensure they get up-to-date config values", " - Fix stop service failure when the service is not actually running", " anymore", " - Add registry interface that provides snaps access to a particular", " registry view", " - steam-support interface: relaxed AppArmor and seccomp restrictions", " to improve user experience", " - home interface: autoconnect home on Ubuntu Core Desktop", " - serial-port interface: support RPMsg tty", " - display-control interface: allow changing LVDS backlight power and", " brightness", " - power-control interface: support for battery charging thesholds,", " type/status and AC type/status", " - cpu-control interface: allow CPU C-state control", " - raw-usb interface: support RPi5 and Thinkpad x13s", " - custom-device interface: allow device file locking", " - lxd-support interface: allow LXD to self-manage its own cgroup", " - network-manager interface: support MPTCP sockets", " - network-control interface: allow plug/slot access to gnutls config", " and systemd resolved cache flushing via D-Bus", "" ], "package": "snapd", "version": "2.64", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2072986 ], "author": "Ernest Lotter ", "date": "Wed, 24 Jul 2024 21:11:59 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2061179", " - Support for snap services to show the current status of user", " services (experimental)", " - Refresh app awareness: record snap-run-inhibit notice when", " starting app from snap that is busy with refresh (experimental)", " - Refresh app awareness: use warnings as fallback for desktop", " notifications (experimental)", " - Aspect based configuration: make request fields in the aspect-", " bundle's rules optional (experimental)", " - Aspect based configuration: make map keys conform to the same", " format as path sub-keys (experimental)", " - Aspect based configuration: make unset and set behaviour similar", " to configuration options (experimental)", " - Aspect based configuration: limit nesting level for setting value", " (experimental)", " - Components: use symlinks to point active snap component revisions", " - Components: add model assertion support for components", " - Components: fix to ensure local component installation always gets", " a new revision number", " - Add basic support for a CIFS remote filesystem-based home", " directory", " - Add support for AppArmor profile kill mode to avoid snap-confine", " error", " - Allow more than one interface to grant access to the same API", " endpoint or notice type", " - Allow all snapd service's control group processes to send systemd", " notifications to prevent warnings flooding the log", " - Enable not preseeded single boot install", " - Update secboot to handle new sbatlevel", " - Fix to not use cgroup for non-strict confined snaps (devmode,", " classic)", " - Fix two race conditions relating to freedesktop notifications", " - Fix missing tunables in snap-update-ns AppArmor template", " - Fix rejection of snapd snap udev command line by older host snap-", " device-helper", " - Rework seccomp allow/deny list", " - Clean up files removed by gadgets", " - Remove non-viable boot chains to avoid secboot failure", " - posix_mq interface: add support for missing time64 mqueue syscalls", " mq_timedreceive_time64 and mq_timedsend_time64", " - password-manager-service interface: allow kwalletd version 6", " - kubernetes-support interface: allow SOCK_SEQPACKET sockets", " - system-observe interface: allow listing systemd units and their", " properties", " - opengl interface: enable use of nvidia container toolkit CDI", " config generation", "" ], "package": "snapd", "version": "2.63", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2061179 ], "author": "Ernest Lotter ", "date": "Wed, 24 Apr 2024 02:00:39 +0200" } ], "notes": null }, { "name": "sosreport", "from_version": { "source_package_name": "sosreport", "source_package_version": "4.5.6-0ubuntu1~22.04.2", "version": "4.5.6-0ubuntu1~22.04.2" }, "to_version": { "source_package_name": "sosreport", "source_package_version": "4.7.2-0ubuntu1~22.04.1", "version": "4.7.2-0ubuntu1~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2054395 ], "changes": [ { "cves": [], "log": [ "", " * New 4.7.2 upstream release. (LP: #2054395)", "", " * For more details, full release note is available here:", " - https://github.com/sosreport/sos/releases/tag/4.7.2", "", " * d/control:", " - Add 'python3-packaging' as part of the runtime depends.", " - Add 'python3-packaging' as part of the build depends:", " Use packaging for version comparison instead of pkg_resources from", " setuptools.", " - Add 'python3-yaml' as part of the build depends:", " The new saltstack collect plugin now imports the yaml module, this is", " now required to build and run the sos package", "", " * Former patches, now fixed:", " - d/p/0002-obfuscate-netplan-ssid-password.patch", "", " * Remaining patches:", " - d/p/0001-debian-change-tmp-dir-location.patch", "" ], "package": "sosreport", "version": "4.7.2-0ubuntu1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2054395 ], "author": "Arif Ali ", "date": "Fri, 21 Jun 2024 09:52:04 +0100" } ], "notes": null }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.21", "version": "2:8.2.3995-1ubuntu2.21" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2084706 ], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.21", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 07 Nov 2024 09:47:21 -0330" }, { "cves": [], "log": [ "", " * Ensure Ubuntu codenames are current (LP: #2084706).", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.20", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2084706 ], "author": "Simon Quigley ", "date": "Wed, 16 Oct 2024 12:27:14 -0500" } ], "notes": null } ], "snap": [ { "name": "snapd", "from_version": { "source_package_name": null, "source_package_version": null, "version": "19070" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "23264" } }, { "name": "lxd", "from_version": { "source_package_name": null, "source_package_version": null, "version": "29375" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "31338" } } ] }, "added": { "deb": [ { "name": "linux-headers-6.8.0-49-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-44.44.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-49.49.1~22.04.1", "version": "6.8.0-49.49.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" }, { "cve": "CVE-2024-43858", "url": "https://ubuntu.com/security/CVE-2024-43858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree", "cve_priority": "medium", "cve_public_date": "2024-08-17 10:15:00 UTC" }, { "cve": "CVE-2024-42280", "url": "https://ubuntu.com/security/CVE-2024-42280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-42271", "url": "https://ubuntu.com/security/CVE-2024-42271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-27022", "url": "https://ubuntu.com/security/CVE-2024-27022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-41022", "url": "https://ubuntu.com/security/CVE-2024-41022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The \"instance\" variable needs to be signed for the error handling to work.", "cve_priority": "medium", "cve_public_date": "2024-07-29 14:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42224", "url": "https://ubuntu.com/security/CVE-2024-42224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42154", "url": "https://ubuntu.com/security/CVE-2024-42154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42159", "url": "https://ubuntu.com/security/CVE-2024-42159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085938, 2085939, 2085942, 2085495, 2082433, 2082434, 2074082, 2082437, 2077470, 2078834, 2077729, 2076866, 2076147, 2070329, 2076406, 2076190, 2077321, 2076402, 2077396, 2060039, 2079945, 2078304, 2078041, 2077690, 2077858, 2078289, 2076675, 2078289, 2073695, 2076361, 2072679, 2077600, 2069993, 2062951, 2073583, 2073282, 2076435, 2074380, 2082114, 2082115, 2082118, 2078096, 2078097, 2078100, 1786013, 2076435, 2077600, 2077600 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-49.49.1~22.04.1 -proposed tracker", " (LP: #2085938)", "", " [ Ubuntu: 6.8.0-49.49.1 ]", "", " * noble/linux-riscv: 6.8.0-49.49.1 -proposed tracker (LP: #2085939)", " [ Ubuntu: 6.8.0-49.49 ]", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-49.49.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2085938, 2085939, 2085942, 2085495 ], "author": "Emil Renner Berthing ", "date": "Thu, 07 Nov 2024 13:26:02 +0100" }, { "cves": [ { "cve": "CVE-2024-43858", "url": "https://ubuntu.com/security/CVE-2024-43858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree", "cve_priority": "medium", "cve_public_date": "2024-08-17 10:15:00 UTC" }, { "cve": "CVE-2024-42280", "url": "https://ubuntu.com/security/CVE-2024-42280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-42271", "url": "https://ubuntu.com/security/CVE-2024-42271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-27022", "url": "https://ubuntu.com/security/CVE-2024-27022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-41022", "url": "https://ubuntu.com/security/CVE-2024-41022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The \"instance\" variable needs to be signed for the error handling to work.", "cve_priority": "medium", "cve_public_date": "2024-07-29 14:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-48.48.1~22.04.2 -proposed tracker", " (LP: #2082433)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] riscv: add libtraceevent build dependencies", "", " [ Ubuntu: 6.8.0-48.48.1 ]", "", " * noble/linux-riscv: 6.8.0-48.48.1 -proposed tracker (LP: #2082434)", " * Enable Microchip PIC64GX Curiosity Kit (LP: #2074082)", " - dt-bindings: clock: mpfs: add more MSSPLL output definitions", " - dt-bindings: can: mpfs: add missing required clock", " - clk: microchip: mpfs: split MSSPLL in two", " - clk: microchip: mpfs: setup for using other mss pll outputs", " - clk: microchip: mpfs: add missing MSSPLL outputs", " - clk: microchip: mpfs: convert MSSPLL outputs to clk_divider", " - riscv: dts: microchip: add missing CAN bus clocks", " - SAUCE: dt-bindings: can: mpfs: add PIC64GX CAN compatibility", " - SAUCE: dt-bindings: usb: add PIC64GX compatibility to mpfs-musb driver", " - SAUCE: dt-bindings: mbox: add PIC64GX mailbox compatibility to MPFS mailbox", " - SAUCE: dt-bindings: spi: add PIC64GX SPI/QSPI compatibility to MPFS SPI/QSPI", " bindings", " - SAUCE: dt-bindings: gpio: mpfs-gpio: Add PIC64GX GPIO compatibility", " - SAUCE: dt-bindings: cache: sifive,ccache0: add a PIC64GX compatible", " - SAUCE: dt-bindings: clock: mpfs-ccc: Add PIC64GX compatibility", " - SAUCE: dt-bindings: clock: mpfs-clkcfg: Add PIC64GX compatibility", " - SAUCE: dt-bindings: dma: sifive pdma: Add PIC64GX to compatibles", " - SAUCE: dt-bindings: i2c: microchip: corei2c: Add PIC64GX as compatible with", " driver", " - SAUCE: dt-bindings: mmc: cdns: document Microchip PIC64GX MMC/SDHCI", " controller", " - SAUCE: dt-bindings: net: cdns,macb: Add PIC64GX compatibility", " - SAUCE: dt-bindings: rtc: mfps-rtc: Add PIC64GX compatibility", " - SAUCE: dt-bindings: soc: microchip: mpfs-sys-controller: Add PIC64GX", " compatibility", " - SAUCE: dt-bindings: riscv: microchip: document the PIC64GX curiosity kit", " - SAUCE: dt-bindings: mmc: cdns,sdhci: ref sdhci-common.yaml", " - SAUCE: dt-bindings: timer: sifive,clint: add PIC64GX compatibility", " - SAUCE: dt-bindings: interrupt-controller: sifive,plic: Add PIC64GX", " compatibility", " - SAUCE: riscv: dts: microchip: add PIC64GX Curiosity Kit dts", " [ Ubuntu: 6.8.0-48.48 ]", " * noble/linux: 6.8.0-48.48 -proposed tracker (LP: #2082437)", " * [SRU][Noble] Bad EPP defaults cause performance regressions on select Intel", " CPUs (LP: #2077470)", " - x86/cpu/vfm: Update arch/x86/include/asm/intel-family.h", " - cpufreq: intel_pstate: Allow model specific EPPs", " - cpufreq: intel_pstate: Update default EPPs for Meteor Lake", " - cpufreq: intel_pstate: Switch to new Intel CPU model defines", " - cpufreq: intel_pstate: Update Meteor Lake EPPs", " - cpufreq: intel_pstate: Use Meteor Lake EPPs for Arrow Lake", " - cpufreq: intel_pstate: Update Balance performance EPP for Emerald Rapids", " * power: Enable intel_rapl driver (LP: #2078834)", " - powercap: intel_rapl: Add support for ArrowLake-H platform", " * x86/vmware: Add TDX hypercall support (LP: #2077729)", " - x86/vmware: Introduce VMware hypercall API", " - x86/vmware: Add TDX hypercall support", " * Guest crashes post migration with migrate_misplaced_folio+0x4cc/0x5d0", " (LP: #2076866)", " - mm/mempolicy: use numa_node_id() instead of cpu_to_node()", " - mm/numa_balancing: allow migrate on protnone reference with", " MPOL_PREFERRED_MANY policy", " - mm: convert folio_estimated_sharers() to folio_likely_mapped_shared()", " - mm: factor out the numa mapping rebuilding into a new helper", " - mm: support multi-size THP numa balancing", " - mm/migrate: make migrate_misplaced_folio() return 0 on success", " - mm/migrate: move NUMA hinting fault folio isolation + checks under PTL", " - mm: fix possible OOB in numa_rebuild_large_mapping()", " * Add 'mm: hold PTL from the first PTE while reclaiming a large folio' to fix", " L2 Guest hang during LTP Test (LP: #2076147)", " - mm: hold PTL from the first PTE while reclaiming a large folio", " * KOP L2 guest fails to boot with 1 core - SMT8 topology (LP: #2070329)", " - KVM: PPC: Book3S HV nestedv2: Add DPDES support in helper library for Guest", " state buffer", " - KVM: PPC: Book3S HV nestedv2: Fix doorbell emulation", " * L2 Guest migration: continuously dumping while running NFS guest migration", " (LP: #2076406)", " - KVM: PPC: Book3S HV: Fix the set_one_reg for MMCR3", " - KVM: PPC: Book3S HV: Fix the get_one_reg of SDAR", " - KVM: PPC: Book3S HV: Add one-reg interface for DEXCR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest DEXCR in sync", " - KVM: PPC: Book3S HV: Add one-reg interface for HASHKEYR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest HASHKEYR in sync", " - KVM: PPC: Book3S HV: Add one-reg interface for HASHPKEYR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest HASHPKEYR in sync", " * perf build disables tracepoint support (LP: #2076190)", " - [Packaging] perf: reenable libtraceevent", " * Please backport the more restrictive XSAVES deactivation for Zen1/2 arch", " (LP: #2077321)", " - x86/CPU/AMD: Improve the erratum 1386 workaround", " * Fix alsa scarlett2 driver in 6.8 (LP: #2076402)", " - ALSA: scarlett2: Move initialisation code lower in the source", " - ALSA: scarlett2: Implement handling of the ACK notification", " * rtw89: reset IDMEM mode to prevent download firmware failure (LP: #2077396)", " - wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure", " * CVE-2024-43858", " - jfs: Fix array-index-out-of-bounds in diFree", " * CVE-2024-42280", " - mISDN: Fix a use after free in hfcmulti_tx()", " * CVE-2024-42271", " - net/iucv: fix use after free in iucv_sock_close()", " * [Ubuntu-24.04] FADump with recommended crash size is making the L1 hang", " (LP: #2060039)", " - powerpc/64s/radix/kfence: map __kfence_pool at page granularity", " * Noble update: upstream stable patchset 2024-09-09 (LP: #2079945)", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - fs/ntfs3: Add a check for attr_names and oatbl", " - fs/ntfs3: Validate ff offset", " - usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360", " - arm64: dts: qcom: qrb4210-rb2: switch I2C2 to i2c-gpio", " - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sm6350: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq6018: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB", " - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused", " - ALSA: seq: ump: Skip useless ports for static blocks", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - s390/mm: Fix VM_FAULT_HWPOISON handling in do_exception()", " - ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop", " - arm64: dts: qcom: sc7180: Disable SuperSpeed instances in park mode", " - arm64: dts: qcom: sc7280: Disable SuperSpeed instances in park mode", " - arm64: dts: qcom: qrb2210-rb1: switch I2C2 to i2c-gpio", " - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm845: Disable SS instance in Parkmode for USB", " - Upstream stable to v6.6.43, v6.9.12", " * Noble update: upstream stable patchset 2024-09-02 (LP: #2078304)", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: core: alua: I/O errors for ALUA state transitions", " - scsi: sr: Fix unintentional arithmetic wraparound", " - scsi: qedf: Don't process stag work during unload and recovery", " - scsi: qedf: Wait for stag work during unload", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - efi/libstub: zboot.lds: Discard .discard sections", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: apply mcast rate only if interface is up", " - wifi: mac80211: handle tasklet frames before stopping", " - wifi: cfg80211: fix 6 GHz scan request building", " - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup", " - wifi: iwlwifi: mvm: remove stale STA link data during restart", " - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd", " - wifi: iwlwifi: mvm: handle BA session teardown in RF-kill", " - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option", " - wifi: iwlwifi: mvm: Fix scan abort handling with HW rfkill", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - selftests: cachestat: Fix build warnings on ppc64", " - selftests/openat2: Fix build warnings on ppc64", " - selftests/futex: pass _GNU_SOURCE without a value to the compiler", " - of/irq: Factor out parsing of interrupt-map parent phandle+args from", " of_irq_parse_raw()", " - Input: silead - Always support 10 fingers", " - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()", " - ila: block BH in ila_output()", " - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process", " - null_blk: fix validation of block size", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - input: Add event code for accessibility key", " - input: Add support for \"Do Not Disturb\"", " - HID: Ignore battery for ELAN touchscreens 2F2C and 4116", " - NFSv4: Fix memory leak in nfs4_set_security_label", " - nfs: propagate readlink errors in nfs_symlink_filler", " - nfs: Avoid flushing many pages with NFS_FILE_SYNC", " - nfs: don't invalidate dentries on transient errors", " - cachefiles: add consistency check for copen/cread", " - cachefiles: Set object to close if ondemand_id < 0 in copen", " - cachefiles: make on-demand read killable", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - iomap: Fix iomap_adjust_read_range for plen calculation", " - drm/exynos: dp: drop driver owner initialization", " - drm: panel-orientation-quirks: Add quirk for Aya Neo KUN", " - drm/mediatek: Call drm_atomic_helper_shutdown() at shutdown time", " - nvme: avoid double free special payload", " - nvmet: always initialize cqe.result", " - ALSA: hda: cs35l56: Fix lifecycle of codec pointer", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - ALSA: hda/realtek: Support Lenovo Thinkbook 16P Gen 5", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - spi: Fix OCTAL mode support", " - cpumask: limit FORCE_NR_CPUS to just the UP case", " - [Config] Remove FORCE_NR_CPUS", " - selftests: openvswitch: Set value to nla flags.", " - drm/amdgpu: Indicate CU havest info to CP", " - ALSA: hda: cs35l56: Select SERIAL_MULTI_INSTANTIATE", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - Input: i8042 - add Ayaneo Kun to i8042 quirk table", " - ASoC: rt722-sdca-sdw: add silence detection register as volatile", " - Input: xpad - add support for ASUS ROG RAIKIRI PRO", " - ASoC: topology: Fix references to freed memory", " - ASoC: topology: Do not assign fields that are already set", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ALSA: dmaengine: Synchronize dma channel after drop()", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - ASoC: SOF: sof-audio: Skip unprepare for in-use widgets on error rollback", " - ASoC: rt722-sdca-sdw: add debounce time for type detection", " - nvme: fix NVME_NS_DEAC may incorrectly identifying the disk as EXT_LBA.", " - Input: ads7846 - use spi_device_id table", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - gpio: pca953x: fix pca953x_irq_bus_sync_unlock race", " - octeontx2-pf: Fix coverity and klockwork issues in octeon PF driver", " - s390/sclp: Fix sclp_init() cleanup on failure", " - platform/mellanox: nvsw-sn2201: Add check for platform_device_add_resources", " - platform/x86: wireless-hotkey: Add support for LG Airplane Button", " - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling", " - platform/x86: lg-laptop: Change ACPI device id", " - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB", " - btrfs: qgroup: fix quota root leak after quota disable failure", " - ibmvnic: Add tx check to prevent skb leak", " - ALSA: PCM: Allow resume only for suspended streams", " - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - ASoC: amd: yc: Fix non-functional mic on ASUS M5602RA", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - tee: optee: ffa: Fix missing-field-initializers warning", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - Bluetooth: btnxpuart: Enable Power Save feature on startup", " - bluetooth/l2cap: sync sock recv cb and release", " - erofs: ensure m_llen is reset to 0 if metadata is invalid", " - drm/amd/display: Add refresh rate range check", " - drm/amd/display: Account for cursor prefetch BW in DML1 mode support", " - drm/amd/display: Fix refresh rate range for some panel", " - drm/radeon: check bo_va->bo is non-NULL before using it", " - fs: better handle deep ancestor chains in is_subdir()", " - wifi: iwlwifi: properly set WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK", " - drivers/perf: riscv: Reset the counter to hpmevent mapping while starting", " cpus", " - riscv: stacktrace: fix usage of ftrace_graph_ret_addr()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - ksmbd: return FILE_DEVICE_DISK instead of super magic", " - ASoC: SOF: Intel: hda-pcm: Limit the maximum number of periods by", " MAX_BDL_ENTRIES", " - selftest/timerns: fix clang build failures for abs() calls", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - selftests/bpf: Extend tcx tests to cover late tcx_entry release", " - spi: mux: set ctlr->bits_per_word_mask", " - ALSA: hda: Use imply for suggesting CONFIG_SERIAL_MULTI_INSTANTIATE", " - [Config] Update CONFIG_SERIAL_MULTI_INSTANTIATE", " - cifs: fix noisy message on copy_file_range", " - Bluetooth: L2CAP: Fix deadlock", " - of/irq: Disable \"interrupt-map\" parsing for PASEMI Nemo", " - wifi: cfg80211: wext: set ssids=NULL for passive scans", " - wifi: mac80211: disable softirqs for queued frame handling", " - wifi: iwlwifi: mvm: don't wake up rx_sync_waitq upon RFKILL", " - cachefiles: fix slab-use-after-free in fscache_withdraw_volume()", " - cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()", " - btrfs: ensure fast fsync waits for ordered extents after a write failure", " - PNP: Hide pnp_bus_type from the non-PNP code", " - ACPI: AC: Properly notify powermanagement core about changes", " - selftests/overlayfs: Fix build error on ppc64", " - nvme-fabrics: use reserved tag for reg read/write command", " - LoongArch: Fix GMAC's phy-mode definitions in dts", " - io_uring: fix possible deadlock in io_register_iowq_max_workers()", " - vfio: Create vfio_fs_type with inode per device", " - vfio/pci: Use unmap_mapping_range()", " - parport: amiga: Mark driver struct with __refdata to prevent section", " mismatch", " - drm: renesas: shmobile: Call drm_atomic_helper_shutdown() at shutdown time", " - vfio/pci: Insert full vma on mmap'd MMIO fault", " - ALSA: hda: cs35l41: Support Lenovo Thinkbook 16P Gen 5", " - ALSA: hda: cs35l41: Support Lenovo Thinkbook 13x Gen 4", " - ALSA: hda/realtek: Support Lenovo Thinkbook 13x Gen 4", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", " - drm/amd/display: change dram_clock_latency to 34us for dcn35", " - closures: Change BUG_ON() to WARN_ON()", " - ASoC: codecs: ES8326: Solve headphone detection issue", " - ASoC: Intel: avs: Fix route override", " - net: mvpp2: fill-in dev_port attribute", " - btrfs: scrub: handle RST lookup error correctly", " - clk: qcom: apss-ipq-pll: remove 'config_ctl_hi_val' from Stromer pll configs", " - drm/amd/display: Update efficiency bandwidth for dcn351", " - drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport", " - btrfs: fix uninitialized return value in the ref-verify tool", " - spi: davinci: Unset POWERDOWN bit when releasing resources", " - mm: page_ref: remove folio_try_get_rcu()", " - ALSA: hda: cs35l41: Fix swapped l/r audio channels for Lenovo ThinBook 13x", " Gen4", " - netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume()", " - Upstream stable to v6.6.42, v6.9.11", " * CVE-2024-27022", " - Revert \"Revert \"fork: defer linking file vma until vma is fully", " initialized\"\"", " * UBSAN: array-index-out-of-bounds in /build/linux-Z1RxaK/linux-", " 6.8.0/drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/processpptables.c:124", " 9:61 (LP: #2078041)", " - drm/amdgpu/pptable: convert some variable sized arrays to [] style", " - drm/amdgpu: convert some variable sized arrays to [] style", " - drm/amdgpu/pptable: Fix UBSAN array-index-out-of-bounds", " * alsa: Headphone and Speaker couldn't output sound intermittently", " (LP: #2077690)", " - ALSA: hda/realtek - Fixed ALC256 headphone no sound", " - ALSA: hda/realtek - FIxed ALC285 headphone no sound", " * Fix ethernet performance on JSL and EHL (LP: #2077858)", " - intel_idle: Disable promotion to C1E on Jasper Lake and Elkhart Lake", " * Noble update: upstream stable patchset 2024-08-29 (LP: #2078289)", " - Revert \"usb: xhci: prevent potential failure in handle_tx_event() for", " Transfer events without TRB\"", " - Compiler Attributes: Add __uninitialized macro", " - mm: prevent derefencing NULL ptr in pfn_section_valid()", " - scsi: ufs: core: Fix ufshcd_clear_cmd racing issue", " - scsi: ufs: core: Fix ufshcd_abort_one racing issue", " - vfio/pci: Init the count variable in collecting hot-reset devices", " - cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop", " - cachefiles: stop sending new request when dropping object", " - cachefiles: cancel all requests for the object that is being dropped", " - cachefiles: wait for ondemand_object_worker to finish when dropping object", " - cachefiles: cyclic allocation of msg_id to avoid reuse", " - cachefiles: add missing lock protection when polling", " - dsa: lan9303: Fix mapping between DSA port number and PHY address", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - net: bcmasp: Fix error code in probe()", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - bpf: Fix too early release of tcx_entry", " - net: phy: microchip: lan87xx: reinit PHY after cable test", " - skmsg: Skip zero length skb in sk_msg_recvmsg", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: fix rc7's __skb_datagram_iter()", " - i40e: Fix XDP program unloading while removing the driver", " - net: ethernet: lantiq_etop: fix double free in detach", " - bpf: fix order of args in call to bpf_map_kvcalloc", " - bpf: make timer data struct more generic", " - bpf: replace bpf_timer_init with a generic helper", " - bpf: Fail bpf_timer_cancel when callback is being cancelled", " - net: ethernet: mtk-star-emac: set mac_managed_pm when probing", " - ppp: reject claimed-as-LCP but actually malformed packets", " - ethtool: netlink: do not return SQI value if link is down", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - arm64: dts: qcom: sc8180x: Fix LLCC reg property again", " - firmware: cs_dsp: Fix overflow checking of wmfw header", " - firmware: cs_dsp: Return error if block header overflows file", " - firmware: cs_dsp: Validate payload length before processing block", " - firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers", " - ASoC: SOF: Intel: hda: fix null deref on system suspend entry", " - firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: replace cpt slot with lf id on reg write", " - octeontx2-af: fix a issue with cpt_lf_alloc mailbox", " - octeontx2-af: fix detection of IP layer", " - octeontx2-af: fix issue with IPv6 ext match for RSS", " - octeontx2-af: fix issue with IPv4 match for RSS", " - cifs: fix setting SecurityFlags to true", " - Revert \"sched/fair: Make sure to try to detach at least one movable task\"", " - tcp: avoid too many retransmit packets", " - net: ks8851: Fix deadlock with the SPI chip variant", " - net: ks8851: Fix potential TX stall after interface reopen", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: serial: mos7840: fix crash on resume", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: dwc3: pci: add support for the Intel Panther Lake", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - misc: microchip: pci1xxxx: Fix return value of nvmem callbacks", " - hpet: Support 32-bit userspace", " - xhci: always resume roothubs if xHC was reset during resume", " - s390/mm: Add NULL pointer check to crst_table_free() base_crst_free()", " - mm: vmalloc: check if a hash-index is in cpu_possible_mask", " - mm/filemap: skip to create PMD-sized page cache if needed", " - mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray", " - ksmbd: discard write access to the directory open", " - iio: trigger: Fix condition for own trigger", " - arm64: dts: qcom: sa8775p: Correct IRQ number of EL2 non-secure physical", " timer", " - arm64: dts: qcom: sc8280xp-x13s: fix touchscreen power on", " - nvmem: rmem: Fix return value of rmem_read()", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - nvmem: core: only change name to fram for current attribute", " - platform/x86: toshiba_acpi: Fix array out-of-bounds access", " - tty: serial: ma35d1: Add a NULL check for of_node", " - ALSA: hda/realtek: add quirk for Clevo V5[46]0TU", " - ALSA: hda/realtek: Enable Mute LED on HP 250 G7", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - Fix userfaultfd_api to return EINVAL as expected", " - pmdomain: qcom: rpmhpd: Skip retention level for Power Domains", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - cpufreq: ACPI: Mark boost policy as enabled when setting boost", " - cpufreq: Allow drivers to advertise boost enabled", " - wireguard: selftests: use acpi=off instead of -no-acpi for recent QEMU", " - wireguard: allowedips: avoid unaligned 64-bit memory accesses", " - wireguard: queueing: annotate intentional data race in cpu round robin", " - wireguard: send: annotate intentional data race in checking empty queue", " - misc: fastrpc: Fix DSP capabilities request", " - misc: fastrpc: Avoid updating PD type for capability request", " - misc: fastrpc: Copy the complete capability structure to user", " - misc: fastrpc: Fix memory leak in audio daemon attach operation", " - misc: fastrpc: Fix ownership reassignment of remote heap", " - misc: fastrpc: Restrict untrusted app to attach to privileged PD", " - mm/shmem: disable PMD-sized page cache if needed", " - mm/damon/core: merge regions aggressively when max_nr_regions is unmet", " - selftests/net: fix gro.c compilation failure due to non-existent", " opt_ipproto_off", " - ext4: avoid ptr null pointer dereference", " - sched: Move psi_account_irqtime() out of update_rq_clock_task() hotpath", " - i2c: rcar: bring hardware to known state when probing", " - i2c: mark HostNotify target address as used", " - i2c: rcar: ensure Gen3+ reset does not disturb local targets", " - i2c: testunit: avoid re-issued work after read message", " - i2c: rcar: clear NO_RXDMA flag after resetting", " - x86/bhi: Avoid warning in #DB handler due to BHI mitigation", " - kbuild: Make ld-version.sh more robust against version string changes", " - spi: axi-spi-engine: fix sleep calculation", " - minixfs: Fix minixfs_rename with HIGHMEM", " - bpf: Defer work in bpf_timer_cancel_and_free", " - netfilter: nf_tables: prefer nft_chain_validate", " - arm64: dts: qcom: x1e80100-*: Allocate some CMA buffers", " - arm64: dts: qcom: sm6115: add iommu for sdhc_1", " - arm64: dts: qcom: qdu1000: Fix LLCC reg property", " - net: ethtool: Fix RSS setting", " - nilfs2: fix kernel bug on rename operation of broken directory", " - cachestat: do not flush stats in recency check", " - mm: fix crashes from deferred split racing folio migration", " - nvmem: core: limit cell sysfs permissions to main attribute ones", " - serial: imx: ensure RTS signal is not left active after shutdown", " - mmc: sdhci: Fix max_seg_size for 64KiB PAGE_SIZE", " - mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length", " - mm/readahead: limit page cache size in page_cache_ra_order()", " - Revert \"dt-bindings: cache: qcom,llcc: correct QDU1000 reg entries\"", " - sched/deadline: Fix task_struct reference leak", " - Upstream stable to v6.6.40, v6.6.41, v6.9.10", " * [SRU][HPE 24.04] Intel FVL NIC FW flash fails with inbox driver, causing", " driver not detected (LP: #2076675) // Noble update: upstream stable patchset", " 2024-08-29 (LP: #2078289)", " - i40e: fix: remove needless retries of NVM update", " * CVE-2024-41022", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " * Deadlock occurs while suspending md raid (LP: #2073695)", " - md: change the return value type of md_write_start to void", " - md: fix deadlock between mddev_suspend and flush bio", " * Lenovo X12 Detachable Gen 2 unresponsive under light load (LP: #2076361)", " - drm/i915: Enable Wa_16019325821", " - drm/i915/guc: Add support for w/a KLVs", " - drm/i915/guc: Enable Wa_14019159160", " * Regression: unable to reach low idle states on Tiger Lake (LP: #2072679)", " - SAUCE: PCI: ASPM: Allow OS to configure ASPM where BIOS is incapable of", " - SAUCE: PCI: vmd: Let OS control ASPM for devices under VMD domain", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600)", " - locking/mutex: Introduce devm_mutex_init()", " - leds: an30259a: Use devm_mutex_init() for mutex initialization", " - crypto: hisilicon/debugfs - Fix debugfs uninit process issue", " - drm/lima: fix shared irq handling on driver remove", " - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - selftests/bpf: adjust dummy_st_ops_success to detect additional error", " - selftests/bpf: do not pass NULL for non-nullable params in dummy_st_ops", " - selftests/bpf: dummy_st_ops should reject 0 for non-nullable params", " - RISC-V: KVM: Fix the initial sample period value", " - crypto: aead,cipher - zeroize key buffer after use", " - media: mediatek: vcodec: Only free buffer VA that is not NULL", " - drm/amdgpu: Fix uninitialized variable warnings", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Check index msg_id before read or write", " - drm/amd/display: Check pipe offset before setting vblank", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - drm/amd/display: Fix uninitialized variables in DM", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amdgpu: fix the warning about the expression (int)size - len", " - media: dw2102: Don't translate i2c read into write", " - riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - wifi: mt76: replace skb_put with skb_put_zero", " - wifi: mt76: mt7996: add sanity checks for background radar trigger", " - thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - kunit: Fix timeout message", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - selftests/net: fix uninitialized variables", " - igc: fix a log entry using uninitialized netdev", " - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD", " - serial: imx: Raise TX trigger level to 8", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation", " warning", " - cdrom: rearrange last_media_change check to avoid unintentional overflow", " - tools/power turbostat: Remember global max_die_id", " - vhost: Use virtqueue mutex for swapping worker", " - vhost: Release worker mutex during flushes", " - vhost_task: Handle SIGKILL by flushing work and exiting", " - mac802154: fix time calculation in ieee802154_configure_durations()", " - net: phy: phy_device: Fix PHY LED blinking code comment", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - net/mlx5: E-switch, Create ingress ACL when needed", " - net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup()", " - Bluetooth: hci_event: Fix setting of unicast qos interval", " - Bluetooth: Ignore too large handle values in BIG", " - Bluetooth: ISO: Check socket flag instead of hcon", " - bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX", " - KVM: s390: fix LPSWEY handling", " - e1000e: Fix S0ix residency on corporate systems", " - gpiolib: of: fix lookup quirk for MIPS Lantiq", " - net: allow skb_datagram_iter to be called from any context", " - net: txgbe: initialize num_q_vectors for MSI/INTx interrupts", " - net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from", " __netif_rx()", " - gpio: mmio: do not calculate bgpio_bits via \"ngpios\"", " - wifi: wilc1000: fix ies_len type in connect path", " - riscv: kexec: Avoid deadlock in kexec crash path", " - netfilter: nf_tables: unconditionally flush pending work before notifier", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI", " file", " - gpiolib: of: add polarity quirk for TSC2005", " - cpu: Fix broken cmdline \"nosmp\" and \"maxcpus=0\"", " - platform/x86: toshiba_acpi: Fix quickstart quirk handling", " - Revert \"igc: fix a log entry using uninitialized netdev\"", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - mm: avoid overflows in dirty throttling logic", " - btrfs: fix adding block group to a reclaim list and the unused list during", " reclaim", " - scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add()", " - Bluetooth: hci_bcm4377: Fix msgid release", " - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - drm: panel-orientation-quirks: Add quirk for Valve Galileo", " - clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag", " - clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common", " - powerpc/pseries: Fix scv instruction crash with kexec", " - powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0", " - mtd: rawnand: Ensure ECC configuration is propagated to upper layers", " - mtd: rawnand: Fix the nand_read_data_op() early check", " - mtd: rawnand: Bypass a couple of sanity checks during NAND identification", " - mtd: rawnand: rockchip: ensure NVDDR timings are rejected", " - net: stmmac: dwmac-qcom-ethqos: fix error array size", " - arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B", " - media: dw2102: fix a potential buffer overflow", " - clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents", " - clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs", " - clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - fs/ntfs3: Mark volume as dirty if xattr is broken", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - vhost-scsi: Handle vhost_vq_work_queue failures for events", " - nvme-multipath: find NUMA path only for online numa-node", " - dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails", " - connector: Fix invalid conversion in cn_proc.h", " - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset", " - regmap-i2c: Subtract reg size from max_write", " - platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6\"", " tablet", " - platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro", " - nvmet: fix a possible leak when destroy a ctrl during qp establishment", " - kbuild: fix short log for AS in link-vmlinux.sh", " - nfc/nci: Add the inconsistency check between the input data length and count", " - spi: cadence: Ensure data lines set to low during dummy-cycle period", " - ALSA: ump: Set default protocol when not given explicitly", " - drm/amdgpu: silence UBSAN warning", " - null_blk: Do not allow runt zone with zone capacity smaller then zone size", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - leds: mlxreg: Use devm_mutex_init() for mutex initialization", " - net: dql: Avoid calling BUG() when WARN() is enough", " - drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf", " - bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable", " - drm/amdgpu: fix double free err_addr pointer warnings", " - drm/amd/display: Fix overlapping copy within dml_core_mode_programming", " - drm/amd/display: update pipe topology log to support subvp", " - drm/amd/display: Do not return negative stream id for array", " - drm/amd/display: ASSERT when failing to find index by plane/stream id", " - usb: xhci: prevent potential failure in handle_tx_event() for Transfer", " events without TRB", " - media: i2c: st-mipid02: Use the correct div function", " - media: tc358746: Use the correct div_ function", " - crypto: hisilicon/sec2 - fix for register offset", " - s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings", " - s390/pkey: Wipe copies of clear-key structures on failure", " - s390/pkey: Wipe copies of protected- and secure-keys", " - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values", " - wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP", " - net: txgbe: remove separate irq request for MSI and INTx", " - net: txgbe: add extra handle for MSI/INTx into thread irq handle", " - net: txgbe: free isb resources at the right time", " - btrfs: always do the basic checks for btrfs_qgroup_inherit structure", " - net: phy: aquantia: add missing include guards", " - drm/fbdev-generic: Fix framebuffer on big endian devices", " - net: stmmac: enable HW-accelerated VLAN stripping for gmac4 only", " - net: rswitch: Avoid use-after-free in rswitch_poll()", " - ice: use proper macro for testing bit", " - drm/xe/mcr: Avoid clobbering DSS steering", " - tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO.", " - btrfs: zoned: fix calc_available_free_space() for zoned mode", " - btrfs: fix folio refcount in __alloc_dummy_extent_buffer()", " - Bluetooth: Add quirk to ignore reserved PHY bits in LE Extended Adv Report", " - drm/xe: fix error handling in xe_migrate_update_pgtables", " - drm/ttm: Always take the bo delayed cleanup path for imported bos", " - fs: don't misleadingly warn during thaw operations", " - drm/amdkfd: Let VRAM allocations go to GTT domain on small APUs", " - drm/amdgpu: correct hbm field in boot status", " - Upstream stable to v6.6.38, v6.6.39, v6.9.9", " * Panels show garbage or flickering when i915.psr2 enabled (LP: #2069993)", " - SAUCE: drm/i915/display/psr: add a psr2 disable quirk table", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x4d_0x10_0x93_0x15", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x8b_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x78_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x8c_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x06_0xaf_0x9a_0xf9", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x4d_0x10_0x8f_0x15", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x06_0xaf_0xa3_0xc3", " * Random flickering with Intel i915 (Gen9 GPUs in 6th-8th gen CPUs) on Linux", " 6.8 (LP: #2062951)", " - SAUCE: iommu/intel: disable DMAR for SKL integrated gfx", " * [SRU][22.04.5]: mpi3mr driver update (LP: #2073583)", " - scsi: mpi3mr: HDB allocation and posting for hardware and firmware buffers", " - scsi: mpi3mr: Trigger support", " - scsi: mpi3mr: Add ioctl support for HDB", " - scsi: mpi3mr: Support PCI Error Recovery callback handlers", " - scsi: mpi3mr: Prevent PCI writes from driver during PCI error recovery", " - scsi: mpi3mr: Driver version update", " * Fix power consumption while using HW accelerated video decode on AMD", " platforms (LP: #2073282)", " - drm/amdgpu/vcn: identify unified queue in sw init", " - drm/amdgpu/vcn: not pause dpg for unified queue", " * Noble update: upstream stable patchset 2024-08-09 (LP: #2076435)", " - usb: typec: ucsi: Never send a lone connector change ack", " - usb: typec: ucsi: Ack also failed Get Error commands", " - Input: ili210x - fix ili251x_read_touch_data() return value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: use dedicated pinctrl type for RK3328", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - MIPS: pci: lantiq: restore reset gpio polarity", " - ASoC: rockchip: i2s-tdm: Fix trcm mode by setting clock on right mclk", " - ASoC: mediatek: mt8183-da7219-max98357: Fix kcontrol name collision", " - ASoC: atmel: atmel-classd: Re-add dai_link->platform to fix card init", " - workqueue: Increase worker desc's length to 32", " - ASoC: q6apm-lpass-dai: close graph on prepare errors", " - bpf: Add missed var_off setting in set_sext32_default_val()", " - bpf: Add missed var_off setting in coerce_subreg_to_size_sx()", " - s390/pci: Add missing virt_to_phys() for directed DIBV", " - ASoC: amd: acp: add a null check for chip_pdev structure", " - ASoC: amd: acp: remove i2s configuration check in acp_i2s_probe()", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - openvswitch: get related ct labels from its master if it is not confirmed", " - mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems", " - ibmvnic: Free any outstanding tx skbs during scrq reset", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - net: dsa: microchip: use collision based back pressure mode", " - ice: Rebuild TC queues on VSI queue reconfiguration", " - xdp: Remove WARN() from __xdp_reg_mem_model()", " - netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when", " CONFIG_SYSCTL=n", " - btrfs: use NOFS context when getting inodes during logging and log replay", " - Fix race for duplicate reqsk on identical SYN", " - ALSA: seq: Fix missing channel at encoding RPN/NRPN MIDI2 messages", " - net: dsa: microchip: fix wrong register write when masking interrupt", " - sparc: fix old compat_sys_select()", " - sparc: fix compat recv/recvfrom syscalls", " - parisc: use correct compat recv/recvfrom syscalls", " - powerpc: restore some missing spu syscalls", " - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO", " - ALSA: seq: Fix missing MSB in MIDI2 SPP conversion", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - net: mana: Fix possible double free in error handling path", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - vduse: validate block features only with block devices", " - vduse: Temporarily fail if control queue feature requested", " - x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - wifi: ieee80211: check for NULL in ieee80211_mle_size_ok()", " - bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode", " - RDMA/restrack: Fix potential invalid address access", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - crypto: ecdh - explicitly zeroize private_key", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - irqchip/loongson: Select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP for", " IRQ_LOONGARCH_CPU", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - gfs2: Fix NULL pointer dereference in gfs2_log_flush", " - drm/radeon/radeon_display: Decrease the size of allocated memory", " - nvme: fixup comment for nvme RDMA Provider Type", " - drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA", " - gpio: davinci: Validate the obtained number of IRQs", " - RISC-V: fix vector insn load/store width mask", " - drm/amdgpu: Fix pci state save during mode-1 reset", " - riscv: stacktrace: convert arch_stack_walk() to noinstr", " - gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)", " - randomize_kstack: Remove non-functional per-arch entropy filtering", " - x86: stop playing stack games in profile_pc()", " - parisc: use generic sys_fanotify_mark implementation", " - Revert \"MIPS: pci: lantiq: restore reset gpio polarity\"", " - pinctrl: qcom: spmi-gpio: drop broken pm8008 support", " - ocfs2: fix DIO failure due to insufficient transaction credits", " - nfs: drop the incorrect assertion in nfs_swap_rw()", " - mm: fix incorrect vbq reference in purge_fragmented_block", " - mmc: sdhci-pci-o2micro: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci-brcmstb: check R1_STATUS for erase/trim/discard", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: xilinx-ams: Don't include ams_ctrl_channels in scan_mask", " - counter: ti-eqep: enable clock at probe", " - kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates", " - kbuild: Fix build target deb-pkg: ln: failed to create hard link", " - i2c: testunit: don't erase registers after STOP", " - i2c: testunit: discard write requests while old command is running", " - ata: libata-core: Fix null pointer dereference on error", " - ata,scsi: libata-core: Do not leak memory for ata_port struct members", " - iio: adc: ad7266: Fix variable checking bug", " - iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: gadget: printer: fix races against disable", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to", " avoid deadlock", " - usb: gadget: aspeed_udc: fix device address configuration", " - usb: typec: ucsi: glink: fix child node release in probe function", " - usb: ucsi: stm32: fix command completion handling", " - usb: dwc3: core: Add DWC31 version 2.00a controller", " - usb: dwc3: core: Workaround for CSR read timeout", " - Revert \"serial: core: only stop transmit when HW fifo is empty\"", " - serial: 8250_omap: Implementation of Errata i2310", " - serial: imx: set receiver level before starting uart", " - serial: core: introduce uart_port_tx_limited_flags()", " - serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - PCI/MSI: Fix UAF in msi_capability_init", " - cpufreq: intel_pstate: Use HWP to initialize ITMT if CPPC is missing", " - irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node()", " - cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()", " - irqchip/loongson-liointc: Set different ISRs for different cores", " - kbuild: Install dtb files as 0644 in Makefile.dtbinst", " - sh: rework sync_file_range ABI", " - btrfs: zoned: fix initial free space detection", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/drm_file: Fix pid refcounting race", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/fbdev-dma: Only set smem_start is enable per module option", " - drm/amdgpu: avoid using null object of framebuffer", " - drm/i915/gt: Fix potential UAF by revoke of fence registers", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - drm/amd/display: Send DP_TOTAL_LTTPR_CNT during detection if LTTPR is", " present", " - drm/amdgpu/atomfirmware: fix parsing of vram_info", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - can: mcp251xfd: fix infinite loop when xmit fails", " - ata: ahci: Clean up sysfs file on error", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - syscalls: fix compat_sys_io_pgetevents_time64 usage", " - syscalls: fix sys_fanotify_mark prototype", " - Revert \"cpufreq: amd-pstate: Fix the inconsistency in max frequency units\"", " - mm/page_alloc: Separate THP PCP into movable and non-movable categories", " - arm64: dts: rockchip: Fix SD NAND and eMMC init on rk3308-rock-pi-s", " - arm64: dts: rockchip: Rename LED related pinctrl nodes on rk3308-rock-pi-s", " - arm64: dts: rockchip: Fix the value of `dlg,jack-det-rate` mismatch on", " rk3399-gru", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: make poweroff(8) work on Radxa ROCK 5A", " - arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - cxl/region: Move cxl_dpa_to_region() work to the region driver", " - cxl/region: Avoid null pointer dereference in region lookup", " - cxl/region: check interleave capability", " - serial: imx: only set receiver level if it is zero", " - serial: 8250_omap: Fix Errata i2310 with RX FIFO level check", " - tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()", " - pwm: stm32: Improve precision of calculation in .apply()", " - pwm: stm32: Fix for settings using period > UINT32_MAX", " - pwm: stm32: Calculate prescaler with a division instead of a loop", " - pwm: stm32: Refuse too small period requests", " - ASoC: cs42l43: Increase default type detect time and button delay", " - ASoC: amd: acp: move chip->flag variable assignment", " - bonding: fix incorrect software timestamping report", " - mlxsw: pci: Fix driver initialization with Spectrum-4", " - vxlan: Pull inner IP header in vxlan_xmit_one().", " - ASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link", " - af_unix: Stop recv(MSG_PEEK) at consumed OOB skb.", " - af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head.", " - af_unix: Don't stop recv() at consumed ex-OOB skb.", " - af_unix: Fix wrong ioctl(SIOCATMARK) when consumed OOB skb is at the head.", " - bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()", " - bpf: Take return from set_memory_rox() into account with", " bpf_jit_binary_lock_ro()", " - drm/xe: Fix potential integer overflow in page size calculation", " - drm/xe: Add a NULL check in xe_ttm_stolen_mgr_init", " - drm/amd/display: correct hostvm flag", " - drm/amd/display: Skip pipe if the pipe idx not set properly", " - bpf: Add a check for struct bpf_fib_lookup size", " - drm/xe/xe_devcoredump: Check NULL before assignments", " - iommu/arm-smmu-v3: Do not allow a SVA domain to be set on the wrong PASID", " - evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509", " - drm/xe: Check pat.ops before dumping PAT settings", " - nvmet: do not return 'reserved' for empty TSAS values", " - nvmet: make 'tsas' attribute idempotent for RDMA", " - iommu/amd: Fix GT feature enablement again", " - gpiolib: cdev: Ignore reconfiguration without direction", " - kasan: fix bad call to unpoison_slab_object", " - mm/memory: don't require head page for do_set_pmd()", " - SUNRPC: Fix backchannel reply, again", " - Revert \"usb: gadget: u_ether: Re-attach netif device to mirror detachment\"", " - Revert \"usb: gadget: u_ether: Replace netif_stop_queue with", " netif_device_detach\"", " - tty: serial: 8250: Fix port count mismatch with the device", " - tty: mxser: Remove __counted_by from mxser_board.ports[]", " - nvmet-fc: Remove __counted_by from nvmet_fc_tgt_queue.fod[]", " - ata: libata-core: Add ATA_HORKAGE_NOLPM for all Crucial BX SSD1 models", " - bcachefs: Fix sb_field_downgrade validation", " - bcachefs: Fix sb-downgrade validation", " - bcachefs: Fix bch2_sb_downgrade_update()", " - bcachefs: Fix setting of downgrade recovery passes/errors", " - bcachefs: btree_gc can now handle unknown btrees", " - pwm: stm32: Fix calculation of prescaler", " - pwm: stm32: Fix error message to not describe the previous error path", " - cxl/region: Convert cxl_pmem_region_alloc to scope-based resource management", " - cxl/mem: Fix no cxl_nvd during pmem region auto-assembling", " - arm64: dts: rockchip: Fix the i2c address of es8316 on Cool Pi 4B", " - netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid", " - netfs: Fix netfs_page_mkwrite() to flush conflicting data, not wait", " - Upstream stable to v6.6.37, v6.9.8", " * [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible", " (LP: #2074380)", " - s390/cpum_cf: make crypto counters upward compatible across machine types", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-48.48.1~22.04.2", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2082433, 2082434, 2074082, 2082437, 2077470, 2078834, 2077729, 2076866, 2076147, 2070329, 2076406, 2076190, 2077321, 2076402, 2077396, 2060039, 2079945, 2078304, 2078041, 2077690, 2077858, 2078289, 2076675, 2078289, 2073695, 2076361, 2072679, 2077600, 2069993, 2062951, 2073583, 2073282, 2076435, 2074380 ], "author": "Emil Renner Berthing ", "date": "Wed, 16 Oct 2024 20:35:45 +0200" }, { "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-47.47.1~22.04.1 -proposed tracker", " (LP: #2082114)", "", " [ Ubuntu: 6.8.0-47.47.1 ]", "", " * noble/linux-riscv: 6.8.0-47.47.1 -proposed tracker (LP: #2082115)", " [ Ubuntu: 6.8.0-47.47 ]", " * noble/linux: 6.8.0-47.47 -proposed tracker (LP: #2082118)", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-47.47.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2082114, 2082115, 2082118 ], "author": "Emil Renner Berthing ", "date": "Wed, 09 Oct 2024 17:06:48 +0200" }, { "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42224", "url": "https://ubuntu.com/security/CVE-2024-42224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42154", "url": "https://ubuntu.com/security/CVE-2024-42154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42159", "url": "https://ubuntu.com/security/CVE-2024-42159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-45.45.1~22.04.1 -proposed tracker", " (LP: #2078096)", "", " [ Ubuntu: 6.8.0-45.45.1 ]", "", " * noble/linux-riscv: 6.8.0-45.45.1 -proposed tracker (LP: #2078097)", " [ Ubuntu: 6.8.0-45.45 ]", " * noble/linux: 6.8.0-45.45 -proposed tracker (LP: #2078100)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2024.08.05)", " * Noble update: upstream stable patchset 2024-08-09 (LP: #2076435) //", " CVE-2024-41009", " - bpf: Fix overrunning reservations in ringbuf", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600) //", " CVE-2024-42224", " - net: dsa: mv88e6xxx: Correct check for empty list", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600) //", " CVE-2024-42154", " - tcp_metrics: validate source addr length", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", " * CVE-2024-42159", " - scsi: mpi3mr: Sanitise num_phys", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078096, 2078097, 2078100, 1786013, 2076435, 2077600, 2077600 ], "author": "Roxana Nicolescu ", "date": "Mon, 02 Sep 2024 11:50:42 +0200" } ], "notes": "linux-headers-6.8.0-49-generic version '6.8.0-49.49.1~22.04.1' (source package linux-riscv-6.8 version '6.8.0-49.49.1~22.04.1') was added. linux-headers-6.8.0-49-generic version '6.8.0-49.49.1~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-44-generic. As such we can use the source package version of the removed package, '6.8.0-44.44.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-6.8.0-49-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-44.44.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-49.49.1~22.04.1", "version": "6.8.0-49.49.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" }, { "cve": "CVE-2024-43858", "url": "https://ubuntu.com/security/CVE-2024-43858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree", "cve_priority": "medium", "cve_public_date": "2024-08-17 10:15:00 UTC" }, { "cve": "CVE-2024-42280", "url": "https://ubuntu.com/security/CVE-2024-42280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-42271", "url": "https://ubuntu.com/security/CVE-2024-42271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-27022", "url": "https://ubuntu.com/security/CVE-2024-27022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-41022", "url": "https://ubuntu.com/security/CVE-2024-41022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The \"instance\" variable needs to be signed for the error handling to work.", "cve_priority": "medium", "cve_public_date": "2024-07-29 14:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42224", "url": "https://ubuntu.com/security/CVE-2024-42224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42154", "url": "https://ubuntu.com/security/CVE-2024-42154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42159", "url": "https://ubuntu.com/security/CVE-2024-42159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085938, 2085939, 2085942, 2085495, 2082433, 2082434, 2074082, 2082437, 2077470, 2078834, 2077729, 2076866, 2076147, 2070329, 2076406, 2076190, 2077321, 2076402, 2077396, 2060039, 2079945, 2078304, 2078041, 2077690, 2077858, 2078289, 2076675, 2078289, 2073695, 2076361, 2072679, 2077600, 2069993, 2062951, 2073583, 2073282, 2076435, 2074380, 2082114, 2082115, 2082118, 2078096, 2078097, 2078100, 1786013, 2076435, 2077600, 2077600 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-49.49.1~22.04.1 -proposed tracker", " (LP: #2085938)", "", " [ Ubuntu: 6.8.0-49.49.1 ]", "", " * noble/linux-riscv: 6.8.0-49.49.1 -proposed tracker (LP: #2085939)", " [ Ubuntu: 6.8.0-49.49 ]", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-49.49.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2085938, 2085939, 2085942, 2085495 ], "author": "Emil Renner Berthing ", "date": "Thu, 07 Nov 2024 13:26:02 +0100" }, { "cves": [ { "cve": "CVE-2024-43858", "url": "https://ubuntu.com/security/CVE-2024-43858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree", "cve_priority": "medium", "cve_public_date": "2024-08-17 10:15:00 UTC" }, { "cve": "CVE-2024-42280", "url": "https://ubuntu.com/security/CVE-2024-42280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-42271", "url": "https://ubuntu.com/security/CVE-2024-42271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-27022", "url": "https://ubuntu.com/security/CVE-2024-27022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-41022", "url": "https://ubuntu.com/security/CVE-2024-41022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The \"instance\" variable needs to be signed for the error handling to work.", "cve_priority": "medium", "cve_public_date": "2024-07-29 14:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-48.48.1~22.04.2 -proposed tracker", " (LP: #2082433)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] riscv: add libtraceevent build dependencies", "", " [ Ubuntu: 6.8.0-48.48.1 ]", "", " * noble/linux-riscv: 6.8.0-48.48.1 -proposed tracker (LP: #2082434)", " * Enable Microchip PIC64GX Curiosity Kit (LP: #2074082)", " - dt-bindings: clock: mpfs: add more MSSPLL output definitions", " - dt-bindings: can: mpfs: add missing required clock", " - clk: microchip: mpfs: split MSSPLL in two", " - clk: microchip: mpfs: setup for using other mss pll outputs", " - clk: microchip: mpfs: add missing MSSPLL outputs", " - clk: microchip: mpfs: convert MSSPLL outputs to clk_divider", " - riscv: dts: microchip: add missing CAN bus clocks", " - SAUCE: dt-bindings: can: mpfs: add PIC64GX CAN compatibility", " - SAUCE: dt-bindings: usb: add PIC64GX compatibility to mpfs-musb driver", " - SAUCE: dt-bindings: mbox: add PIC64GX mailbox compatibility to MPFS mailbox", " - SAUCE: dt-bindings: spi: add PIC64GX SPI/QSPI compatibility to MPFS SPI/QSPI", " bindings", " - SAUCE: dt-bindings: gpio: mpfs-gpio: Add PIC64GX GPIO compatibility", " - SAUCE: dt-bindings: cache: sifive,ccache0: add a PIC64GX compatible", " - SAUCE: dt-bindings: clock: mpfs-ccc: Add PIC64GX compatibility", " - SAUCE: dt-bindings: clock: mpfs-clkcfg: Add PIC64GX compatibility", " - SAUCE: dt-bindings: dma: sifive pdma: Add PIC64GX to compatibles", " - SAUCE: dt-bindings: i2c: microchip: corei2c: Add PIC64GX as compatible with", " driver", " - SAUCE: dt-bindings: mmc: cdns: document Microchip PIC64GX MMC/SDHCI", " controller", " - SAUCE: dt-bindings: net: cdns,macb: Add PIC64GX compatibility", " - SAUCE: dt-bindings: rtc: mfps-rtc: Add PIC64GX compatibility", " - SAUCE: dt-bindings: soc: microchip: mpfs-sys-controller: Add PIC64GX", " compatibility", " - SAUCE: dt-bindings: riscv: microchip: document the PIC64GX curiosity kit", " - SAUCE: dt-bindings: mmc: cdns,sdhci: ref sdhci-common.yaml", " - SAUCE: dt-bindings: timer: sifive,clint: add PIC64GX compatibility", " - SAUCE: dt-bindings: interrupt-controller: sifive,plic: Add PIC64GX", " compatibility", " - SAUCE: riscv: dts: microchip: add PIC64GX Curiosity Kit dts", " [ Ubuntu: 6.8.0-48.48 ]", " * noble/linux: 6.8.0-48.48 -proposed tracker (LP: #2082437)", " * [SRU][Noble] Bad EPP defaults cause performance regressions on select Intel", " CPUs (LP: #2077470)", " - x86/cpu/vfm: Update arch/x86/include/asm/intel-family.h", " - cpufreq: intel_pstate: Allow model specific EPPs", " - cpufreq: intel_pstate: Update default EPPs for Meteor Lake", " - cpufreq: intel_pstate: Switch to new Intel CPU model defines", " - cpufreq: intel_pstate: Update Meteor Lake EPPs", " - cpufreq: intel_pstate: Use Meteor Lake EPPs for Arrow Lake", " - cpufreq: intel_pstate: Update Balance performance EPP for Emerald Rapids", " * power: Enable intel_rapl driver (LP: #2078834)", " - powercap: intel_rapl: Add support for ArrowLake-H platform", " * x86/vmware: Add TDX hypercall support (LP: #2077729)", " - x86/vmware: Introduce VMware hypercall API", " - x86/vmware: Add TDX hypercall support", " * Guest crashes post migration with migrate_misplaced_folio+0x4cc/0x5d0", " (LP: #2076866)", " - mm/mempolicy: use numa_node_id() instead of cpu_to_node()", " - mm/numa_balancing: allow migrate on protnone reference with", " MPOL_PREFERRED_MANY policy", " - mm: convert folio_estimated_sharers() to folio_likely_mapped_shared()", " - mm: factor out the numa mapping rebuilding into a new helper", " - mm: support multi-size THP numa balancing", " - mm/migrate: make migrate_misplaced_folio() return 0 on success", " - mm/migrate: move NUMA hinting fault folio isolation + checks under PTL", " - mm: fix possible OOB in numa_rebuild_large_mapping()", " * Add 'mm: hold PTL from the first PTE while reclaiming a large folio' to fix", " L2 Guest hang during LTP Test (LP: #2076147)", " - mm: hold PTL from the first PTE while reclaiming a large folio", " * KOP L2 guest fails to boot with 1 core - SMT8 topology (LP: #2070329)", " - KVM: PPC: Book3S HV nestedv2: Add DPDES support in helper library for Guest", " state buffer", " - KVM: PPC: Book3S HV nestedv2: Fix doorbell emulation", " * L2 Guest migration: continuously dumping while running NFS guest migration", " (LP: #2076406)", " - KVM: PPC: Book3S HV: Fix the set_one_reg for MMCR3", " - KVM: PPC: Book3S HV: Fix the get_one_reg of SDAR", " - KVM: PPC: Book3S HV: Add one-reg interface for DEXCR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest DEXCR in sync", " - KVM: PPC: Book3S HV: Add one-reg interface for HASHKEYR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest HASHKEYR in sync", " - KVM: PPC: Book3S HV: Add one-reg interface for HASHPKEYR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest HASHPKEYR in sync", " * perf build disables tracepoint support (LP: #2076190)", " - [Packaging] perf: reenable libtraceevent", " * Please backport the more restrictive XSAVES deactivation for Zen1/2 arch", " (LP: #2077321)", " - x86/CPU/AMD: Improve the erratum 1386 workaround", " * Fix alsa scarlett2 driver in 6.8 (LP: #2076402)", " - ALSA: scarlett2: Move initialisation code lower in the source", " - ALSA: scarlett2: Implement handling of the ACK notification", " * rtw89: reset IDMEM mode to prevent download firmware failure (LP: #2077396)", " - wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure", " * CVE-2024-43858", " - jfs: Fix array-index-out-of-bounds in diFree", " * CVE-2024-42280", " - mISDN: Fix a use after free in hfcmulti_tx()", " * CVE-2024-42271", " - net/iucv: fix use after free in iucv_sock_close()", " * [Ubuntu-24.04] FADump with recommended crash size is making the L1 hang", " (LP: #2060039)", " - powerpc/64s/radix/kfence: map __kfence_pool at page granularity", " * Noble update: upstream stable patchset 2024-09-09 (LP: #2079945)", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - fs/ntfs3: Add a check for attr_names and oatbl", " - fs/ntfs3: Validate ff offset", " - usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360", " - arm64: dts: qcom: qrb4210-rb2: switch I2C2 to i2c-gpio", " - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sm6350: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq6018: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB", " - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused", " - ALSA: seq: ump: Skip useless ports for static blocks", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - s390/mm: Fix VM_FAULT_HWPOISON handling in do_exception()", " - ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop", " - arm64: dts: qcom: sc7180: Disable SuperSpeed instances in park mode", " - arm64: dts: qcom: sc7280: Disable SuperSpeed instances in park mode", " - arm64: dts: qcom: qrb2210-rb1: switch I2C2 to i2c-gpio", " - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm845: Disable SS instance in Parkmode for USB", " - Upstream stable to v6.6.43, v6.9.12", " * Noble update: upstream stable patchset 2024-09-02 (LP: #2078304)", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: core: alua: I/O errors for ALUA state transitions", " - scsi: sr: Fix unintentional arithmetic wraparound", " - scsi: qedf: Don't process stag work during unload and recovery", " - scsi: qedf: Wait for stag work during unload", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - efi/libstub: zboot.lds: Discard .discard sections", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: apply mcast rate only if interface is up", " - wifi: mac80211: handle tasklet frames before stopping", " - wifi: cfg80211: fix 6 GHz scan request building", " - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup", " - wifi: iwlwifi: mvm: remove stale STA link data during restart", " - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd", " - wifi: iwlwifi: mvm: handle BA session teardown in RF-kill", " - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option", " - wifi: iwlwifi: mvm: Fix scan abort handling with HW rfkill", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - selftests: cachestat: Fix build warnings on ppc64", " - selftests/openat2: Fix build warnings on ppc64", " - selftests/futex: pass _GNU_SOURCE without a value to the compiler", " - of/irq: Factor out parsing of interrupt-map parent phandle+args from", " of_irq_parse_raw()", " - Input: silead - Always support 10 fingers", " - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()", " - ila: block BH in ila_output()", " - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process", " - null_blk: fix validation of block size", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - input: Add event code for accessibility key", " - input: Add support for \"Do Not Disturb\"", " - HID: Ignore battery for ELAN touchscreens 2F2C and 4116", " - NFSv4: Fix memory leak in nfs4_set_security_label", " - nfs: propagate readlink errors in nfs_symlink_filler", " - nfs: Avoid flushing many pages with NFS_FILE_SYNC", " - nfs: don't invalidate dentries on transient errors", " - cachefiles: add consistency check for copen/cread", " - cachefiles: Set object to close if ondemand_id < 0 in copen", " - cachefiles: make on-demand read killable", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - iomap: Fix iomap_adjust_read_range for plen calculation", " - drm/exynos: dp: drop driver owner initialization", " - drm: panel-orientation-quirks: Add quirk for Aya Neo KUN", " - drm/mediatek: Call drm_atomic_helper_shutdown() at shutdown time", " - nvme: avoid double free special payload", " - nvmet: always initialize cqe.result", " - ALSA: hda: cs35l56: Fix lifecycle of codec pointer", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - ALSA: hda/realtek: Support Lenovo Thinkbook 16P Gen 5", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - spi: Fix OCTAL mode support", " - cpumask: limit FORCE_NR_CPUS to just the UP case", " - [Config] Remove FORCE_NR_CPUS", " - selftests: openvswitch: Set value to nla flags.", " - drm/amdgpu: Indicate CU havest info to CP", " - ALSA: hda: cs35l56: Select SERIAL_MULTI_INSTANTIATE", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - Input: i8042 - add Ayaneo Kun to i8042 quirk table", " - ASoC: rt722-sdca-sdw: add silence detection register as volatile", " - Input: xpad - add support for ASUS ROG RAIKIRI PRO", " - ASoC: topology: Fix references to freed memory", " - ASoC: topology: Do not assign fields that are already set", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ALSA: dmaengine: Synchronize dma channel after drop()", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - ASoC: SOF: sof-audio: Skip unprepare for in-use widgets on error rollback", " - ASoC: rt722-sdca-sdw: add debounce time for type detection", " - nvme: fix NVME_NS_DEAC may incorrectly identifying the disk as EXT_LBA.", " - Input: ads7846 - use spi_device_id table", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - gpio: pca953x: fix pca953x_irq_bus_sync_unlock race", " - octeontx2-pf: Fix coverity and klockwork issues in octeon PF driver", " - s390/sclp: Fix sclp_init() cleanup on failure", " - platform/mellanox: nvsw-sn2201: Add check for platform_device_add_resources", " - platform/x86: wireless-hotkey: Add support for LG Airplane Button", " - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling", " - platform/x86: lg-laptop: Change ACPI device id", " - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB", " - btrfs: qgroup: fix quota root leak after quota disable failure", " - ibmvnic: Add tx check to prevent skb leak", " - ALSA: PCM: Allow resume only for suspended streams", " - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - ASoC: amd: yc: Fix non-functional mic on ASUS M5602RA", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - tee: optee: ffa: Fix missing-field-initializers warning", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - Bluetooth: btnxpuart: Enable Power Save feature on startup", " - bluetooth/l2cap: sync sock recv cb and release", " - erofs: ensure m_llen is reset to 0 if metadata is invalid", " - drm/amd/display: Add refresh rate range check", " - drm/amd/display: Account for cursor prefetch BW in DML1 mode support", " - drm/amd/display: Fix refresh rate range for some panel", " - drm/radeon: check bo_va->bo is non-NULL before using it", " - fs: better handle deep ancestor chains in is_subdir()", " - wifi: iwlwifi: properly set WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK", " - drivers/perf: riscv: Reset the counter to hpmevent mapping while starting", " cpus", " - riscv: stacktrace: fix usage of ftrace_graph_ret_addr()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - ksmbd: return FILE_DEVICE_DISK instead of super magic", " - ASoC: SOF: Intel: hda-pcm: Limit the maximum number of periods by", " MAX_BDL_ENTRIES", " - selftest/timerns: fix clang build failures for abs() calls", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - selftests/bpf: Extend tcx tests to cover late tcx_entry release", " - spi: mux: set ctlr->bits_per_word_mask", " - ALSA: hda: Use imply for suggesting CONFIG_SERIAL_MULTI_INSTANTIATE", " - [Config] Update CONFIG_SERIAL_MULTI_INSTANTIATE", " - cifs: fix noisy message on copy_file_range", " - Bluetooth: L2CAP: Fix deadlock", " - of/irq: Disable \"interrupt-map\" parsing for PASEMI Nemo", " - wifi: cfg80211: wext: set ssids=NULL for passive scans", " - wifi: mac80211: disable softirqs for queued frame handling", " - wifi: iwlwifi: mvm: don't wake up rx_sync_waitq upon RFKILL", " - cachefiles: fix slab-use-after-free in fscache_withdraw_volume()", " - cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()", " - btrfs: ensure fast fsync waits for ordered extents after a write failure", " - PNP: Hide pnp_bus_type from the non-PNP code", " - ACPI: AC: Properly notify powermanagement core about changes", " - selftests/overlayfs: Fix build error on ppc64", " - nvme-fabrics: use reserved tag for reg read/write command", " - LoongArch: Fix GMAC's phy-mode definitions in dts", " - io_uring: fix possible deadlock in io_register_iowq_max_workers()", " - vfio: Create vfio_fs_type with inode per device", " - vfio/pci: Use unmap_mapping_range()", " - parport: amiga: Mark driver struct with __refdata to prevent section", " mismatch", " - drm: renesas: shmobile: Call drm_atomic_helper_shutdown() at shutdown time", " - vfio/pci: Insert full vma on mmap'd MMIO fault", " - ALSA: hda: cs35l41: Support Lenovo Thinkbook 16P Gen 5", " - ALSA: hda: cs35l41: Support Lenovo Thinkbook 13x Gen 4", " - ALSA: hda/realtek: Support Lenovo Thinkbook 13x Gen 4", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", " - drm/amd/display: change dram_clock_latency to 34us for dcn35", " - closures: Change BUG_ON() to WARN_ON()", " - ASoC: codecs: ES8326: Solve headphone detection issue", " - ASoC: Intel: avs: Fix route override", " - net: mvpp2: fill-in dev_port attribute", " - btrfs: scrub: handle RST lookup error correctly", " - clk: qcom: apss-ipq-pll: remove 'config_ctl_hi_val' from Stromer pll configs", " - drm/amd/display: Update efficiency bandwidth for dcn351", " - drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport", " - btrfs: fix uninitialized return value in the ref-verify tool", " - spi: davinci: Unset POWERDOWN bit when releasing resources", " - mm: page_ref: remove folio_try_get_rcu()", " - ALSA: hda: cs35l41: Fix swapped l/r audio channels for Lenovo ThinBook 13x", " Gen4", " - netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume()", " - Upstream stable to v6.6.42, v6.9.11", " * CVE-2024-27022", " - Revert \"Revert \"fork: defer linking file vma until vma is fully", " initialized\"\"", " * UBSAN: array-index-out-of-bounds in /build/linux-Z1RxaK/linux-", " 6.8.0/drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/processpptables.c:124", " 9:61 (LP: #2078041)", " - drm/amdgpu/pptable: convert some variable sized arrays to [] style", " - drm/amdgpu: convert some variable sized arrays to [] style", " - drm/amdgpu/pptable: Fix UBSAN array-index-out-of-bounds", " * alsa: Headphone and Speaker couldn't output sound intermittently", " (LP: #2077690)", " - ALSA: hda/realtek - Fixed ALC256 headphone no sound", " - ALSA: hda/realtek - FIxed ALC285 headphone no sound", " * Fix ethernet performance on JSL and EHL (LP: #2077858)", " - intel_idle: Disable promotion to C1E on Jasper Lake and Elkhart Lake", " * Noble update: upstream stable patchset 2024-08-29 (LP: #2078289)", " - Revert \"usb: xhci: prevent potential failure in handle_tx_event() for", " Transfer events without TRB\"", " - Compiler Attributes: Add __uninitialized macro", " - mm: prevent derefencing NULL ptr in pfn_section_valid()", " - scsi: ufs: core: Fix ufshcd_clear_cmd racing issue", " - scsi: ufs: core: Fix ufshcd_abort_one racing issue", " - vfio/pci: Init the count variable in collecting hot-reset devices", " - cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop", " - cachefiles: stop sending new request when dropping object", " - cachefiles: cancel all requests for the object that is being dropped", " - cachefiles: wait for ondemand_object_worker to finish when dropping object", " - cachefiles: cyclic allocation of msg_id to avoid reuse", " - cachefiles: add missing lock protection when polling", " - dsa: lan9303: Fix mapping between DSA port number and PHY address", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - net: bcmasp: Fix error code in probe()", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - bpf: Fix too early release of tcx_entry", " - net: phy: microchip: lan87xx: reinit PHY after cable test", " - skmsg: Skip zero length skb in sk_msg_recvmsg", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: fix rc7's __skb_datagram_iter()", " - i40e: Fix XDP program unloading while removing the driver", " - net: ethernet: lantiq_etop: fix double free in detach", " - bpf: fix order of args in call to bpf_map_kvcalloc", " - bpf: make timer data struct more generic", " - bpf: replace bpf_timer_init with a generic helper", " - bpf: Fail bpf_timer_cancel when callback is being cancelled", " - net: ethernet: mtk-star-emac: set mac_managed_pm when probing", " - ppp: reject claimed-as-LCP but actually malformed packets", " - ethtool: netlink: do not return SQI value if link is down", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - arm64: dts: qcom: sc8180x: Fix LLCC reg property again", " - firmware: cs_dsp: Fix overflow checking of wmfw header", " - firmware: cs_dsp: Return error if block header overflows file", " - firmware: cs_dsp: Validate payload length before processing block", " - firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers", " - ASoC: SOF: Intel: hda: fix null deref on system suspend entry", " - firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: replace cpt slot with lf id on reg write", " - octeontx2-af: fix a issue with cpt_lf_alloc mailbox", " - octeontx2-af: fix detection of IP layer", " - octeontx2-af: fix issue with IPv6 ext match for RSS", " - octeontx2-af: fix issue with IPv4 match for RSS", " - cifs: fix setting SecurityFlags to true", " - Revert \"sched/fair: Make sure to try to detach at least one movable task\"", " - tcp: avoid too many retransmit packets", " - net: ks8851: Fix deadlock with the SPI chip variant", " - net: ks8851: Fix potential TX stall after interface reopen", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: serial: mos7840: fix crash on resume", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: dwc3: pci: add support for the Intel Panther Lake", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - misc: microchip: pci1xxxx: Fix return value of nvmem callbacks", " - hpet: Support 32-bit userspace", " - xhci: always resume roothubs if xHC was reset during resume", " - s390/mm: Add NULL pointer check to crst_table_free() base_crst_free()", " - mm: vmalloc: check if a hash-index is in cpu_possible_mask", " - mm/filemap: skip to create PMD-sized page cache if needed", " - mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray", " - ksmbd: discard write access to the directory open", " - iio: trigger: Fix condition for own trigger", " - arm64: dts: qcom: sa8775p: Correct IRQ number of EL2 non-secure physical", " timer", " - arm64: dts: qcom: sc8280xp-x13s: fix touchscreen power on", " - nvmem: rmem: Fix return value of rmem_read()", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - nvmem: core: only change name to fram for current attribute", " - platform/x86: toshiba_acpi: Fix array out-of-bounds access", " - tty: serial: ma35d1: Add a NULL check for of_node", " - ALSA: hda/realtek: add quirk for Clevo V5[46]0TU", " - ALSA: hda/realtek: Enable Mute LED on HP 250 G7", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - Fix userfaultfd_api to return EINVAL as expected", " - pmdomain: qcom: rpmhpd: Skip retention level for Power Domains", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - cpufreq: ACPI: Mark boost policy as enabled when setting boost", " - cpufreq: Allow drivers to advertise boost enabled", " - wireguard: selftests: use acpi=off instead of -no-acpi for recent QEMU", " - wireguard: allowedips: avoid unaligned 64-bit memory accesses", " - wireguard: queueing: annotate intentional data race in cpu round robin", " - wireguard: send: annotate intentional data race in checking empty queue", " - misc: fastrpc: Fix DSP capabilities request", " - misc: fastrpc: Avoid updating PD type for capability request", " - misc: fastrpc: Copy the complete capability structure to user", " - misc: fastrpc: Fix memory leak in audio daemon attach operation", " - misc: fastrpc: Fix ownership reassignment of remote heap", " - misc: fastrpc: Restrict untrusted app to attach to privileged PD", " - mm/shmem: disable PMD-sized page cache if needed", " - mm/damon/core: merge regions aggressively when max_nr_regions is unmet", " - selftests/net: fix gro.c compilation failure due to non-existent", " opt_ipproto_off", " - ext4: avoid ptr null pointer dereference", " - sched: Move psi_account_irqtime() out of update_rq_clock_task() hotpath", " - i2c: rcar: bring hardware to known state when probing", " - i2c: mark HostNotify target address as used", " - i2c: rcar: ensure Gen3+ reset does not disturb local targets", " - i2c: testunit: avoid re-issued work after read message", " - i2c: rcar: clear NO_RXDMA flag after resetting", " - x86/bhi: Avoid warning in #DB handler due to BHI mitigation", " - kbuild: Make ld-version.sh more robust against version string changes", " - spi: axi-spi-engine: fix sleep calculation", " - minixfs: Fix minixfs_rename with HIGHMEM", " - bpf: Defer work in bpf_timer_cancel_and_free", " - netfilter: nf_tables: prefer nft_chain_validate", " - arm64: dts: qcom: x1e80100-*: Allocate some CMA buffers", " - arm64: dts: qcom: sm6115: add iommu for sdhc_1", " - arm64: dts: qcom: qdu1000: Fix LLCC reg property", " - net: ethtool: Fix RSS setting", " - nilfs2: fix kernel bug on rename operation of broken directory", " - cachestat: do not flush stats in recency check", " - mm: fix crashes from deferred split racing folio migration", " - nvmem: core: limit cell sysfs permissions to main attribute ones", " - serial: imx: ensure RTS signal is not left active after shutdown", " - mmc: sdhci: Fix max_seg_size for 64KiB PAGE_SIZE", " - mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length", " - mm/readahead: limit page cache size in page_cache_ra_order()", " - Revert \"dt-bindings: cache: qcom,llcc: correct QDU1000 reg entries\"", " - sched/deadline: Fix task_struct reference leak", " - Upstream stable to v6.6.40, v6.6.41, v6.9.10", " * [SRU][HPE 24.04] Intel FVL NIC FW flash fails with inbox driver, causing", " driver not detected (LP: #2076675) // Noble update: upstream stable patchset", " 2024-08-29 (LP: #2078289)", " - i40e: fix: remove needless retries of NVM update", " * CVE-2024-41022", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " * Deadlock occurs while suspending md raid (LP: #2073695)", " - md: change the return value type of md_write_start to void", " - md: fix deadlock between mddev_suspend and flush bio", " * Lenovo X12 Detachable Gen 2 unresponsive under light load (LP: #2076361)", " - drm/i915: Enable Wa_16019325821", " - drm/i915/guc: Add support for w/a KLVs", " - drm/i915/guc: Enable Wa_14019159160", " * Regression: unable to reach low idle states on Tiger Lake (LP: #2072679)", " - SAUCE: PCI: ASPM: Allow OS to configure ASPM where BIOS is incapable of", " - SAUCE: PCI: vmd: Let OS control ASPM for devices under VMD domain", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600)", " - locking/mutex: Introduce devm_mutex_init()", " - leds: an30259a: Use devm_mutex_init() for mutex initialization", " - crypto: hisilicon/debugfs - Fix debugfs uninit process issue", " - drm/lima: fix shared irq handling on driver remove", " - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - selftests/bpf: adjust dummy_st_ops_success to detect additional error", " - selftests/bpf: do not pass NULL for non-nullable params in dummy_st_ops", " - selftests/bpf: dummy_st_ops should reject 0 for non-nullable params", " - RISC-V: KVM: Fix the initial sample period value", " - crypto: aead,cipher - zeroize key buffer after use", " - media: mediatek: vcodec: Only free buffer VA that is not NULL", " - drm/amdgpu: Fix uninitialized variable warnings", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Check index msg_id before read or write", " - drm/amd/display: Check pipe offset before setting vblank", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - drm/amd/display: Fix uninitialized variables in DM", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amdgpu: fix the warning about the expression (int)size - len", " - media: dw2102: Don't translate i2c read into write", " - riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - wifi: mt76: replace skb_put with skb_put_zero", " - wifi: mt76: mt7996: add sanity checks for background radar trigger", " - thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - kunit: Fix timeout message", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - selftests/net: fix uninitialized variables", " - igc: fix a log entry using uninitialized netdev", " - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD", " - serial: imx: Raise TX trigger level to 8", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation", " warning", " - cdrom: rearrange last_media_change check to avoid unintentional overflow", " - tools/power turbostat: Remember global max_die_id", " - vhost: Use virtqueue mutex for swapping worker", " - vhost: Release worker mutex during flushes", " - vhost_task: Handle SIGKILL by flushing work and exiting", " - mac802154: fix time calculation in ieee802154_configure_durations()", " - net: phy: phy_device: Fix PHY LED blinking code comment", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - net/mlx5: E-switch, Create ingress ACL when needed", " - net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup()", " - Bluetooth: hci_event: Fix setting of unicast qos interval", " - Bluetooth: Ignore too large handle values in BIG", " - Bluetooth: ISO: Check socket flag instead of hcon", " - bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX", " - KVM: s390: fix LPSWEY handling", " - e1000e: Fix S0ix residency on corporate systems", " - gpiolib: of: fix lookup quirk for MIPS Lantiq", " - net: allow skb_datagram_iter to be called from any context", " - net: txgbe: initialize num_q_vectors for MSI/INTx interrupts", " - net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from", " __netif_rx()", " - gpio: mmio: do not calculate bgpio_bits via \"ngpios\"", " - wifi: wilc1000: fix ies_len type in connect path", " - riscv: kexec: Avoid deadlock in kexec crash path", " - netfilter: nf_tables: unconditionally flush pending work before notifier", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI", " file", " - gpiolib: of: add polarity quirk for TSC2005", " - cpu: Fix broken cmdline \"nosmp\" and \"maxcpus=0\"", " - platform/x86: toshiba_acpi: Fix quickstart quirk handling", " - Revert \"igc: fix a log entry using uninitialized netdev\"", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - mm: avoid overflows in dirty throttling logic", " - btrfs: fix adding block group to a reclaim list and the unused list during", " reclaim", " - scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add()", " - Bluetooth: hci_bcm4377: Fix msgid release", " - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - drm: panel-orientation-quirks: Add quirk for Valve Galileo", " - clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag", " - clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common", " - powerpc/pseries: Fix scv instruction crash with kexec", " - powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0", " - mtd: rawnand: Ensure ECC configuration is propagated to upper layers", " - mtd: rawnand: Fix the nand_read_data_op() early check", " - mtd: rawnand: Bypass a couple of sanity checks during NAND identification", " - mtd: rawnand: rockchip: ensure NVDDR timings are rejected", " - net: stmmac: dwmac-qcom-ethqos: fix error array size", " - arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B", " - media: dw2102: fix a potential buffer overflow", " - clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents", " - clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs", " - clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - fs/ntfs3: Mark volume as dirty if xattr is broken", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - vhost-scsi: Handle vhost_vq_work_queue failures for events", " - nvme-multipath: find NUMA path only for online numa-node", " - dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails", " - connector: Fix invalid conversion in cn_proc.h", " - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset", " - regmap-i2c: Subtract reg size from max_write", " - platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6\"", " tablet", " - platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro", " - nvmet: fix a possible leak when destroy a ctrl during qp establishment", " - kbuild: fix short log for AS in link-vmlinux.sh", " - nfc/nci: Add the inconsistency check between the input data length and count", " - spi: cadence: Ensure data lines set to low during dummy-cycle period", " - ALSA: ump: Set default protocol when not given explicitly", " - drm/amdgpu: silence UBSAN warning", " - null_blk: Do not allow runt zone with zone capacity smaller then zone size", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - leds: mlxreg: Use devm_mutex_init() for mutex initialization", " - net: dql: Avoid calling BUG() when WARN() is enough", " - drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf", " - bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable", " - drm/amdgpu: fix double free err_addr pointer warnings", " - drm/amd/display: Fix overlapping copy within dml_core_mode_programming", " - drm/amd/display: update pipe topology log to support subvp", " - drm/amd/display: Do not return negative stream id for array", " - drm/amd/display: ASSERT when failing to find index by plane/stream id", " - usb: xhci: prevent potential failure in handle_tx_event() for Transfer", " events without TRB", " - media: i2c: st-mipid02: Use the correct div function", " - media: tc358746: Use the correct div_ function", " - crypto: hisilicon/sec2 - fix for register offset", " - s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings", " - s390/pkey: Wipe copies of clear-key structures on failure", " - s390/pkey: Wipe copies of protected- and secure-keys", " - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values", " - wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP", " - net: txgbe: remove separate irq request for MSI and INTx", " - net: txgbe: add extra handle for MSI/INTx into thread irq handle", " - net: txgbe: free isb resources at the right time", " - btrfs: always do the basic checks for btrfs_qgroup_inherit structure", " - net: phy: aquantia: add missing include guards", " - drm/fbdev-generic: Fix framebuffer on big endian devices", " - net: stmmac: enable HW-accelerated VLAN stripping for gmac4 only", " - net: rswitch: Avoid use-after-free in rswitch_poll()", " - ice: use proper macro for testing bit", " - drm/xe/mcr: Avoid clobbering DSS steering", " - tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO.", " - btrfs: zoned: fix calc_available_free_space() for zoned mode", " - btrfs: fix folio refcount in __alloc_dummy_extent_buffer()", " - Bluetooth: Add quirk to ignore reserved PHY bits in LE Extended Adv Report", " - drm/xe: fix error handling in xe_migrate_update_pgtables", " - drm/ttm: Always take the bo delayed cleanup path for imported bos", " - fs: don't misleadingly warn during thaw operations", " - drm/amdkfd: Let VRAM allocations go to GTT domain on small APUs", " - drm/amdgpu: correct hbm field in boot status", " - Upstream stable to v6.6.38, v6.6.39, v6.9.9", " * Panels show garbage or flickering when i915.psr2 enabled (LP: #2069993)", " - SAUCE: drm/i915/display/psr: add a psr2 disable quirk table", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x4d_0x10_0x93_0x15", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x8b_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x78_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x8c_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x06_0xaf_0x9a_0xf9", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x4d_0x10_0x8f_0x15", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x06_0xaf_0xa3_0xc3", " * Random flickering with Intel i915 (Gen9 GPUs in 6th-8th gen CPUs) on Linux", " 6.8 (LP: #2062951)", " - SAUCE: iommu/intel: disable DMAR for SKL integrated gfx", " * [SRU][22.04.5]: mpi3mr driver update (LP: #2073583)", " - scsi: mpi3mr: HDB allocation and posting for hardware and firmware buffers", " - scsi: mpi3mr: Trigger support", " - scsi: mpi3mr: Add ioctl support for HDB", " - scsi: mpi3mr: Support PCI Error Recovery callback handlers", " - scsi: mpi3mr: Prevent PCI writes from driver during PCI error recovery", " - scsi: mpi3mr: Driver version update", " * Fix power consumption while using HW accelerated video decode on AMD", " platforms (LP: #2073282)", " - drm/amdgpu/vcn: identify unified queue in sw init", " - drm/amdgpu/vcn: not pause dpg for unified queue", " * Noble update: upstream stable patchset 2024-08-09 (LP: #2076435)", " - usb: typec: ucsi: Never send a lone connector change ack", " - usb: typec: ucsi: Ack also failed Get Error commands", " - Input: ili210x - fix ili251x_read_touch_data() return value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: use dedicated pinctrl type for RK3328", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - MIPS: pci: lantiq: restore reset gpio polarity", " - ASoC: rockchip: i2s-tdm: Fix trcm mode by setting clock on right mclk", " - ASoC: mediatek: mt8183-da7219-max98357: Fix kcontrol name collision", " - ASoC: atmel: atmel-classd: Re-add dai_link->platform to fix card init", " - workqueue: Increase worker desc's length to 32", " - ASoC: q6apm-lpass-dai: close graph on prepare errors", " - bpf: Add missed var_off setting in set_sext32_default_val()", " - bpf: Add missed var_off setting in coerce_subreg_to_size_sx()", " - s390/pci: Add missing virt_to_phys() for directed DIBV", " - ASoC: amd: acp: add a null check for chip_pdev structure", " - ASoC: amd: acp: remove i2s configuration check in acp_i2s_probe()", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - openvswitch: get related ct labels from its master if it is not confirmed", " - mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems", " - ibmvnic: Free any outstanding tx skbs during scrq reset", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - net: dsa: microchip: use collision based back pressure mode", " - ice: Rebuild TC queues on VSI queue reconfiguration", " - xdp: Remove WARN() from __xdp_reg_mem_model()", " - netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when", " CONFIG_SYSCTL=n", " - btrfs: use NOFS context when getting inodes during logging and log replay", " - Fix race for duplicate reqsk on identical SYN", " - ALSA: seq: Fix missing channel at encoding RPN/NRPN MIDI2 messages", " - net: dsa: microchip: fix wrong register write when masking interrupt", " - sparc: fix old compat_sys_select()", " - sparc: fix compat recv/recvfrom syscalls", " - parisc: use correct compat recv/recvfrom syscalls", " - powerpc: restore some missing spu syscalls", " - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO", " - ALSA: seq: Fix missing MSB in MIDI2 SPP conversion", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - net: mana: Fix possible double free in error handling path", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - vduse: validate block features only with block devices", " - vduse: Temporarily fail if control queue feature requested", " - x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - wifi: ieee80211: check for NULL in ieee80211_mle_size_ok()", " - bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode", " - RDMA/restrack: Fix potential invalid address access", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - crypto: ecdh - explicitly zeroize private_key", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - irqchip/loongson: Select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP for", " IRQ_LOONGARCH_CPU", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - gfs2: Fix NULL pointer dereference in gfs2_log_flush", " - drm/radeon/radeon_display: Decrease the size of allocated memory", " - nvme: fixup comment for nvme RDMA Provider Type", " - drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA", " - gpio: davinci: Validate the obtained number of IRQs", " - RISC-V: fix vector insn load/store width mask", " - drm/amdgpu: Fix pci state save during mode-1 reset", " - riscv: stacktrace: convert arch_stack_walk() to noinstr", " - gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)", " - randomize_kstack: Remove non-functional per-arch entropy filtering", " - x86: stop playing stack games in profile_pc()", " - parisc: use generic sys_fanotify_mark implementation", " - Revert \"MIPS: pci: lantiq: restore reset gpio polarity\"", " - pinctrl: qcom: spmi-gpio: drop broken pm8008 support", " - ocfs2: fix DIO failure due to insufficient transaction credits", " - nfs: drop the incorrect assertion in nfs_swap_rw()", " - mm: fix incorrect vbq reference in purge_fragmented_block", " - mmc: sdhci-pci-o2micro: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci-brcmstb: check R1_STATUS for erase/trim/discard", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: xilinx-ams: Don't include ams_ctrl_channels in scan_mask", " - counter: ti-eqep: enable clock at probe", " - kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates", " - kbuild: Fix build target deb-pkg: ln: failed to create hard link", " - i2c: testunit: don't erase registers after STOP", " - i2c: testunit: discard write requests while old command is running", " - ata: libata-core: Fix null pointer dereference on error", " - ata,scsi: libata-core: Do not leak memory for ata_port struct members", " - iio: adc: ad7266: Fix variable checking bug", " - iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: gadget: printer: fix races against disable", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to", " avoid deadlock", " - usb: gadget: aspeed_udc: fix device address configuration", " - usb: typec: ucsi: glink: fix child node release in probe function", " - usb: ucsi: stm32: fix command completion handling", " - usb: dwc3: core: Add DWC31 version 2.00a controller", " - usb: dwc3: core: Workaround for CSR read timeout", " - Revert \"serial: core: only stop transmit when HW fifo is empty\"", " - serial: 8250_omap: Implementation of Errata i2310", " - serial: imx: set receiver level before starting uart", " - serial: core: introduce uart_port_tx_limited_flags()", " - serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - PCI/MSI: Fix UAF in msi_capability_init", " - cpufreq: intel_pstate: Use HWP to initialize ITMT if CPPC is missing", " - irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node()", " - cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()", " - irqchip/loongson-liointc: Set different ISRs for different cores", " - kbuild: Install dtb files as 0644 in Makefile.dtbinst", " - sh: rework sync_file_range ABI", " - btrfs: zoned: fix initial free space detection", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/drm_file: Fix pid refcounting race", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/fbdev-dma: Only set smem_start is enable per module option", " - drm/amdgpu: avoid using null object of framebuffer", " - drm/i915/gt: Fix potential UAF by revoke of fence registers", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - drm/amd/display: Send DP_TOTAL_LTTPR_CNT during detection if LTTPR is", " present", " - drm/amdgpu/atomfirmware: fix parsing of vram_info", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - can: mcp251xfd: fix infinite loop when xmit fails", " - ata: ahci: Clean up sysfs file on error", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - syscalls: fix compat_sys_io_pgetevents_time64 usage", " - syscalls: fix sys_fanotify_mark prototype", " - Revert \"cpufreq: amd-pstate: Fix the inconsistency in max frequency units\"", " - mm/page_alloc: Separate THP PCP into movable and non-movable categories", " - arm64: dts: rockchip: Fix SD NAND and eMMC init on rk3308-rock-pi-s", " - arm64: dts: rockchip: Rename LED related pinctrl nodes on rk3308-rock-pi-s", " - arm64: dts: rockchip: Fix the value of `dlg,jack-det-rate` mismatch on", " rk3399-gru", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: make poweroff(8) work on Radxa ROCK 5A", " - arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - cxl/region: Move cxl_dpa_to_region() work to the region driver", " - cxl/region: Avoid null pointer dereference in region lookup", " - cxl/region: check interleave capability", " - serial: imx: only set receiver level if it is zero", " - serial: 8250_omap: Fix Errata i2310 with RX FIFO level check", " - tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()", " - pwm: stm32: Improve precision of calculation in .apply()", " - pwm: stm32: Fix for settings using period > UINT32_MAX", " - pwm: stm32: Calculate prescaler with a division instead of a loop", " - pwm: stm32: Refuse too small period requests", " - ASoC: cs42l43: Increase default type detect time and button delay", " - ASoC: amd: acp: move chip->flag variable assignment", " - bonding: fix incorrect software timestamping report", " - mlxsw: pci: Fix driver initialization with Spectrum-4", " - vxlan: Pull inner IP header in vxlan_xmit_one().", " - ASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link", " - af_unix: Stop recv(MSG_PEEK) at consumed OOB skb.", " - af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head.", " - af_unix: Don't stop recv() at consumed ex-OOB skb.", " - af_unix: Fix wrong ioctl(SIOCATMARK) when consumed OOB skb is at the head.", " - bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()", " - bpf: Take return from set_memory_rox() into account with", " bpf_jit_binary_lock_ro()", " - drm/xe: Fix potential integer overflow in page size calculation", " - drm/xe: Add a NULL check in xe_ttm_stolen_mgr_init", " - drm/amd/display: correct hostvm flag", " - drm/amd/display: Skip pipe if the pipe idx not set properly", " - bpf: Add a check for struct bpf_fib_lookup size", " - drm/xe/xe_devcoredump: Check NULL before assignments", " - iommu/arm-smmu-v3: Do not allow a SVA domain to be set on the wrong PASID", " - evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509", " - drm/xe: Check pat.ops before dumping PAT settings", " - nvmet: do not return 'reserved' for empty TSAS values", " - nvmet: make 'tsas' attribute idempotent for RDMA", " - iommu/amd: Fix GT feature enablement again", " - gpiolib: cdev: Ignore reconfiguration without direction", " - kasan: fix bad call to unpoison_slab_object", " - mm/memory: don't require head page for do_set_pmd()", " - SUNRPC: Fix backchannel reply, again", " - Revert \"usb: gadget: u_ether: Re-attach netif device to mirror detachment\"", " - Revert \"usb: gadget: u_ether: Replace netif_stop_queue with", " netif_device_detach\"", " - tty: serial: 8250: Fix port count mismatch with the device", " - tty: mxser: Remove __counted_by from mxser_board.ports[]", " - nvmet-fc: Remove __counted_by from nvmet_fc_tgt_queue.fod[]", " - ata: libata-core: Add ATA_HORKAGE_NOLPM for all Crucial BX SSD1 models", " - bcachefs: Fix sb_field_downgrade validation", " - bcachefs: Fix sb-downgrade validation", " - bcachefs: Fix bch2_sb_downgrade_update()", " - bcachefs: Fix setting of downgrade recovery passes/errors", " - bcachefs: btree_gc can now handle unknown btrees", " - pwm: stm32: Fix calculation of prescaler", " - pwm: stm32: Fix error message to not describe the previous error path", " - cxl/region: Convert cxl_pmem_region_alloc to scope-based resource management", " - cxl/mem: Fix no cxl_nvd during pmem region auto-assembling", " - arm64: dts: rockchip: Fix the i2c address of es8316 on Cool Pi 4B", " - netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid", " - netfs: Fix netfs_page_mkwrite() to flush conflicting data, not wait", " - Upstream stable to v6.6.37, v6.9.8", " * [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible", " (LP: #2074380)", " - s390/cpum_cf: make crypto counters upward compatible across machine types", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-48.48.1~22.04.2", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2082433, 2082434, 2074082, 2082437, 2077470, 2078834, 2077729, 2076866, 2076147, 2070329, 2076406, 2076190, 2077321, 2076402, 2077396, 2060039, 2079945, 2078304, 2078041, 2077690, 2077858, 2078289, 2076675, 2078289, 2073695, 2076361, 2072679, 2077600, 2069993, 2062951, 2073583, 2073282, 2076435, 2074380 ], "author": "Emil Renner Berthing ", "date": "Wed, 16 Oct 2024 20:35:45 +0200" }, { "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-47.47.1~22.04.1 -proposed tracker", " (LP: #2082114)", "", " [ Ubuntu: 6.8.0-47.47.1 ]", "", " * noble/linux-riscv: 6.8.0-47.47.1 -proposed tracker (LP: #2082115)", " [ Ubuntu: 6.8.0-47.47 ]", " * noble/linux: 6.8.0-47.47 -proposed tracker (LP: #2082118)", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-47.47.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2082114, 2082115, 2082118 ], "author": "Emil Renner Berthing ", "date": "Wed, 09 Oct 2024 17:06:48 +0200" }, { "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42224", "url": "https://ubuntu.com/security/CVE-2024-42224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42154", "url": "https://ubuntu.com/security/CVE-2024-42154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42159", "url": "https://ubuntu.com/security/CVE-2024-42159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-45.45.1~22.04.1 -proposed tracker", " (LP: #2078096)", "", " [ Ubuntu: 6.8.0-45.45.1 ]", "", " * noble/linux-riscv: 6.8.0-45.45.1 -proposed tracker (LP: #2078097)", " [ Ubuntu: 6.8.0-45.45 ]", " * noble/linux: 6.8.0-45.45 -proposed tracker (LP: #2078100)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2024.08.05)", " * Noble update: upstream stable patchset 2024-08-09 (LP: #2076435) //", " CVE-2024-41009", " - bpf: Fix overrunning reservations in ringbuf", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600) //", " CVE-2024-42224", " - net: dsa: mv88e6xxx: Correct check for empty list", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600) //", " CVE-2024-42154", " - tcp_metrics: validate source addr length", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", " * CVE-2024-42159", " - scsi: mpi3mr: Sanitise num_phys", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078096, 2078097, 2078100, 1786013, 2076435, 2077600, 2077600 ], "author": "Roxana Nicolescu ", "date": "Mon, 02 Sep 2024 11:50:42 +0200" } ], "notes": "linux-image-6.8.0-49-generic version '6.8.0-49.49.1~22.04.1' (source package linux-riscv-6.8 version '6.8.0-49.49.1~22.04.1') was added. linux-image-6.8.0-49-generic version '6.8.0-49.49.1~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-44-generic. As such we can use the source package version of the removed package, '6.8.0-44.44.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-6.8.0-49-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-44.44.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-49.49.1~22.04.1", "version": "6.8.0-49.49.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" }, { "cve": "CVE-2024-43858", "url": "https://ubuntu.com/security/CVE-2024-43858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree", "cve_priority": "medium", "cve_public_date": "2024-08-17 10:15:00 UTC" }, { "cve": "CVE-2024-42280", "url": "https://ubuntu.com/security/CVE-2024-42280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-42271", "url": "https://ubuntu.com/security/CVE-2024-42271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-27022", "url": "https://ubuntu.com/security/CVE-2024-27022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-41022", "url": "https://ubuntu.com/security/CVE-2024-41022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The \"instance\" variable needs to be signed for the error handling to work.", "cve_priority": "medium", "cve_public_date": "2024-07-29 14:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42224", "url": "https://ubuntu.com/security/CVE-2024-42224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42154", "url": "https://ubuntu.com/security/CVE-2024-42154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42159", "url": "https://ubuntu.com/security/CVE-2024-42159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085938, 2085939, 2085942, 2085495, 2082433, 2082434, 2074082, 2082437, 2077470, 2078834, 2077729, 2076866, 2076147, 2070329, 2076406, 2076190, 2077321, 2076402, 2077396, 2060039, 2079945, 2078304, 2078041, 2077690, 2077858, 2078289, 2076675, 2078289, 2073695, 2076361, 2072679, 2077600, 2069993, 2062951, 2073583, 2073282, 2076435, 2074380, 2082114, 2082115, 2082118, 2078096, 2078097, 2078100, 1786013, 2076435, 2077600, 2077600 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-49.49.1~22.04.1 -proposed tracker", " (LP: #2085938)", "", " [ Ubuntu: 6.8.0-49.49.1 ]", "", " * noble/linux-riscv: 6.8.0-49.49.1 -proposed tracker (LP: #2085939)", " [ Ubuntu: 6.8.0-49.49 ]", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-49.49.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2085938, 2085939, 2085942, 2085495 ], "author": "Emil Renner Berthing ", "date": "Thu, 07 Nov 2024 13:26:02 +0100" }, { "cves": [ { "cve": "CVE-2024-43858", "url": "https://ubuntu.com/security/CVE-2024-43858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree", "cve_priority": "medium", "cve_public_date": "2024-08-17 10:15:00 UTC" }, { "cve": "CVE-2024-42280", "url": "https://ubuntu.com/security/CVE-2024-42280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-42271", "url": "https://ubuntu.com/security/CVE-2024-42271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-27022", "url": "https://ubuntu.com/security/CVE-2024-27022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-41022", "url": "https://ubuntu.com/security/CVE-2024-41022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The \"instance\" variable needs to be signed for the error handling to work.", "cve_priority": "medium", "cve_public_date": "2024-07-29 14:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-48.48.1~22.04.2 -proposed tracker", " (LP: #2082433)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] riscv: add libtraceevent build dependencies", "", " [ Ubuntu: 6.8.0-48.48.1 ]", "", " * noble/linux-riscv: 6.8.0-48.48.1 -proposed tracker (LP: #2082434)", " * Enable Microchip PIC64GX Curiosity Kit (LP: #2074082)", " - dt-bindings: clock: mpfs: add more MSSPLL output definitions", " - dt-bindings: can: mpfs: add missing required clock", " - clk: microchip: mpfs: split MSSPLL in two", " - clk: microchip: mpfs: setup for using other mss pll outputs", " - clk: microchip: mpfs: add missing MSSPLL outputs", " - clk: microchip: mpfs: convert MSSPLL outputs to clk_divider", " - riscv: dts: microchip: add missing CAN bus clocks", " - SAUCE: dt-bindings: can: mpfs: add PIC64GX CAN compatibility", " - SAUCE: dt-bindings: usb: add PIC64GX compatibility to mpfs-musb driver", " - SAUCE: dt-bindings: mbox: add PIC64GX mailbox compatibility to MPFS mailbox", " - SAUCE: dt-bindings: spi: add PIC64GX SPI/QSPI compatibility to MPFS SPI/QSPI", " bindings", " - SAUCE: dt-bindings: gpio: mpfs-gpio: Add PIC64GX GPIO compatibility", " - SAUCE: dt-bindings: cache: sifive,ccache0: add a PIC64GX compatible", " - SAUCE: dt-bindings: clock: mpfs-ccc: Add PIC64GX compatibility", " - SAUCE: dt-bindings: clock: mpfs-clkcfg: Add PIC64GX compatibility", " - SAUCE: dt-bindings: dma: sifive pdma: Add PIC64GX to compatibles", " - SAUCE: dt-bindings: i2c: microchip: corei2c: Add PIC64GX as compatible with", " driver", " - SAUCE: dt-bindings: mmc: cdns: document Microchip PIC64GX MMC/SDHCI", " controller", " - SAUCE: dt-bindings: net: cdns,macb: Add PIC64GX compatibility", " - SAUCE: dt-bindings: rtc: mfps-rtc: Add PIC64GX compatibility", " - SAUCE: dt-bindings: soc: microchip: mpfs-sys-controller: Add PIC64GX", " compatibility", " - SAUCE: dt-bindings: riscv: microchip: document the PIC64GX curiosity kit", " - SAUCE: dt-bindings: mmc: cdns,sdhci: ref sdhci-common.yaml", " - SAUCE: dt-bindings: timer: sifive,clint: add PIC64GX compatibility", " - SAUCE: dt-bindings: interrupt-controller: sifive,plic: Add PIC64GX", " compatibility", " - SAUCE: riscv: dts: microchip: add PIC64GX Curiosity Kit dts", " [ Ubuntu: 6.8.0-48.48 ]", " * noble/linux: 6.8.0-48.48 -proposed tracker (LP: #2082437)", " * [SRU][Noble] Bad EPP defaults cause performance regressions on select Intel", " CPUs (LP: #2077470)", " - x86/cpu/vfm: Update arch/x86/include/asm/intel-family.h", " - cpufreq: intel_pstate: Allow model specific EPPs", " - cpufreq: intel_pstate: Update default EPPs for Meteor Lake", " - cpufreq: intel_pstate: Switch to new Intel CPU model defines", " - cpufreq: intel_pstate: Update Meteor Lake EPPs", " - cpufreq: intel_pstate: Use Meteor Lake EPPs for Arrow Lake", " - cpufreq: intel_pstate: Update Balance performance EPP for Emerald Rapids", " * power: Enable intel_rapl driver (LP: #2078834)", " - powercap: intel_rapl: Add support for ArrowLake-H platform", " * x86/vmware: Add TDX hypercall support (LP: #2077729)", " - x86/vmware: Introduce VMware hypercall API", " - x86/vmware: Add TDX hypercall support", " * Guest crashes post migration with migrate_misplaced_folio+0x4cc/0x5d0", " (LP: #2076866)", " - mm/mempolicy: use numa_node_id() instead of cpu_to_node()", " - mm/numa_balancing: allow migrate on protnone reference with", " MPOL_PREFERRED_MANY policy", " - mm: convert folio_estimated_sharers() to folio_likely_mapped_shared()", " - mm: factor out the numa mapping rebuilding into a new helper", " - mm: support multi-size THP numa balancing", " - mm/migrate: make migrate_misplaced_folio() return 0 on success", " - mm/migrate: move NUMA hinting fault folio isolation + checks under PTL", " - mm: fix possible OOB in numa_rebuild_large_mapping()", " * Add 'mm: hold PTL from the first PTE while reclaiming a large folio' to fix", " L2 Guest hang during LTP Test (LP: #2076147)", " - mm: hold PTL from the first PTE while reclaiming a large folio", " * KOP L2 guest fails to boot with 1 core - SMT8 topology (LP: #2070329)", " - KVM: PPC: Book3S HV nestedv2: Add DPDES support in helper library for Guest", " state buffer", " - KVM: PPC: Book3S HV nestedv2: Fix doorbell emulation", " * L2 Guest migration: continuously dumping while running NFS guest migration", " (LP: #2076406)", " - KVM: PPC: Book3S HV: Fix the set_one_reg for MMCR3", " - KVM: PPC: Book3S HV: Fix the get_one_reg of SDAR", " - KVM: PPC: Book3S HV: Add one-reg interface for DEXCR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest DEXCR in sync", " - KVM: PPC: Book3S HV: Add one-reg interface for HASHKEYR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest HASHKEYR in sync", " - KVM: PPC: Book3S HV: Add one-reg interface for HASHPKEYR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest HASHPKEYR in sync", " * perf build disables tracepoint support (LP: #2076190)", " - [Packaging] perf: reenable libtraceevent", " * Please backport the more restrictive XSAVES deactivation for Zen1/2 arch", " (LP: #2077321)", " - x86/CPU/AMD: Improve the erratum 1386 workaround", " * Fix alsa scarlett2 driver in 6.8 (LP: #2076402)", " - ALSA: scarlett2: Move initialisation code lower in the source", " - ALSA: scarlett2: Implement handling of the ACK notification", " * rtw89: reset IDMEM mode to prevent download firmware failure (LP: #2077396)", " - wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure", " * CVE-2024-43858", " - jfs: Fix array-index-out-of-bounds in diFree", " * CVE-2024-42280", " - mISDN: Fix a use after free in hfcmulti_tx()", " * CVE-2024-42271", " - net/iucv: fix use after free in iucv_sock_close()", " * [Ubuntu-24.04] FADump with recommended crash size is making the L1 hang", " (LP: #2060039)", " - powerpc/64s/radix/kfence: map __kfence_pool at page granularity", " * Noble update: upstream stable patchset 2024-09-09 (LP: #2079945)", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - fs/ntfs3: Add a check for attr_names and oatbl", " - fs/ntfs3: Validate ff offset", " - usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360", " - arm64: dts: qcom: qrb4210-rb2: switch I2C2 to i2c-gpio", " - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sm6350: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq6018: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB", " - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused", " - ALSA: seq: ump: Skip useless ports for static blocks", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - s390/mm: Fix VM_FAULT_HWPOISON handling in do_exception()", " - ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop", " - arm64: dts: qcom: sc7180: Disable SuperSpeed instances in park mode", " - arm64: dts: qcom: sc7280: Disable SuperSpeed instances in park mode", " - arm64: dts: qcom: qrb2210-rb1: switch I2C2 to i2c-gpio", " - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm845: Disable SS instance in Parkmode for USB", " - Upstream stable to v6.6.43, v6.9.12", " * Noble update: upstream stable patchset 2024-09-02 (LP: #2078304)", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: core: alua: I/O errors for ALUA state transitions", " - scsi: sr: Fix unintentional arithmetic wraparound", " - scsi: qedf: Don't process stag work during unload and recovery", " - scsi: qedf: Wait for stag work during unload", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - efi/libstub: zboot.lds: Discard .discard sections", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: apply mcast rate only if interface is up", " - wifi: mac80211: handle tasklet frames before stopping", " - wifi: cfg80211: fix 6 GHz scan request building", " - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup", " - wifi: iwlwifi: mvm: remove stale STA link data during restart", " - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd", " - wifi: iwlwifi: mvm: handle BA session teardown in RF-kill", " - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option", " - wifi: iwlwifi: mvm: Fix scan abort handling with HW rfkill", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - selftests: cachestat: Fix build warnings on ppc64", " - selftests/openat2: Fix build warnings on ppc64", " - selftests/futex: pass _GNU_SOURCE without a value to the compiler", " - of/irq: Factor out parsing of interrupt-map parent phandle+args from", " of_irq_parse_raw()", " - Input: silead - Always support 10 fingers", " - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()", " - ila: block BH in ila_output()", " - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process", " - null_blk: fix validation of block size", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - input: Add event code for accessibility key", " - input: Add support for \"Do Not Disturb\"", " - HID: Ignore battery for ELAN touchscreens 2F2C and 4116", " - NFSv4: Fix memory leak in nfs4_set_security_label", " - nfs: propagate readlink errors in nfs_symlink_filler", " - nfs: Avoid flushing many pages with NFS_FILE_SYNC", " - nfs: don't invalidate dentries on transient errors", " - cachefiles: add consistency check for copen/cread", " - cachefiles: Set object to close if ondemand_id < 0 in copen", " - cachefiles: make on-demand read killable", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - iomap: Fix iomap_adjust_read_range for plen calculation", " - drm/exynos: dp: drop driver owner initialization", " - drm: panel-orientation-quirks: Add quirk for Aya Neo KUN", " - drm/mediatek: Call drm_atomic_helper_shutdown() at shutdown time", " - nvme: avoid double free special payload", " - nvmet: always initialize cqe.result", " - ALSA: hda: cs35l56: Fix lifecycle of codec pointer", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - ALSA: hda/realtek: Support Lenovo Thinkbook 16P Gen 5", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - spi: Fix OCTAL mode support", " - cpumask: limit FORCE_NR_CPUS to just the UP case", " - [Config] Remove FORCE_NR_CPUS", " - selftests: openvswitch: Set value to nla flags.", " - drm/amdgpu: Indicate CU havest info to CP", " - ALSA: hda: cs35l56: Select SERIAL_MULTI_INSTANTIATE", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - Input: i8042 - add Ayaneo Kun to i8042 quirk table", " - ASoC: rt722-sdca-sdw: add silence detection register as volatile", " - Input: xpad - add support for ASUS ROG RAIKIRI PRO", " - ASoC: topology: Fix references to freed memory", " - ASoC: topology: Do not assign fields that are already set", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ALSA: dmaengine: Synchronize dma channel after drop()", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - ASoC: SOF: sof-audio: Skip unprepare for in-use widgets on error rollback", " - ASoC: rt722-sdca-sdw: add debounce time for type detection", " - nvme: fix NVME_NS_DEAC may incorrectly identifying the disk as EXT_LBA.", " - Input: ads7846 - use spi_device_id table", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - gpio: pca953x: fix pca953x_irq_bus_sync_unlock race", " - octeontx2-pf: Fix coverity and klockwork issues in octeon PF driver", " - s390/sclp: Fix sclp_init() cleanup on failure", " - platform/mellanox: nvsw-sn2201: Add check for platform_device_add_resources", " - platform/x86: wireless-hotkey: Add support for LG Airplane Button", " - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling", " - platform/x86: lg-laptop: Change ACPI device id", " - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB", " - btrfs: qgroup: fix quota root leak after quota disable failure", " - ibmvnic: Add tx check to prevent skb leak", " - ALSA: PCM: Allow resume only for suspended streams", " - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - ASoC: amd: yc: Fix non-functional mic on ASUS M5602RA", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - tee: optee: ffa: Fix missing-field-initializers warning", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - Bluetooth: btnxpuart: Enable Power Save feature on startup", " - bluetooth/l2cap: sync sock recv cb and release", " - erofs: ensure m_llen is reset to 0 if metadata is invalid", " - drm/amd/display: Add refresh rate range check", " - drm/amd/display: Account for cursor prefetch BW in DML1 mode support", " - drm/amd/display: Fix refresh rate range for some panel", " - drm/radeon: check bo_va->bo is non-NULL before using it", " - fs: better handle deep ancestor chains in is_subdir()", " - wifi: iwlwifi: properly set WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK", " - drivers/perf: riscv: Reset the counter to hpmevent mapping while starting", " cpus", " - riscv: stacktrace: fix usage of ftrace_graph_ret_addr()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - ksmbd: return FILE_DEVICE_DISK instead of super magic", " - ASoC: SOF: Intel: hda-pcm: Limit the maximum number of periods by", " MAX_BDL_ENTRIES", " - selftest/timerns: fix clang build failures for abs() calls", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - selftests/bpf: Extend tcx tests to cover late tcx_entry release", " - spi: mux: set ctlr->bits_per_word_mask", " - ALSA: hda: Use imply for suggesting CONFIG_SERIAL_MULTI_INSTANTIATE", " - [Config] Update CONFIG_SERIAL_MULTI_INSTANTIATE", " - cifs: fix noisy message on copy_file_range", " - Bluetooth: L2CAP: Fix deadlock", " - of/irq: Disable \"interrupt-map\" parsing for PASEMI Nemo", " - wifi: cfg80211: wext: set ssids=NULL for passive scans", " - wifi: mac80211: disable softirqs for queued frame handling", " - wifi: iwlwifi: mvm: don't wake up rx_sync_waitq upon RFKILL", " - cachefiles: fix slab-use-after-free in fscache_withdraw_volume()", " - cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()", " - btrfs: ensure fast fsync waits for ordered extents after a write failure", " - PNP: Hide pnp_bus_type from the non-PNP code", " - ACPI: AC: Properly notify powermanagement core about changes", " - selftests/overlayfs: Fix build error on ppc64", " - nvme-fabrics: use reserved tag for reg read/write command", " - LoongArch: Fix GMAC's phy-mode definitions in dts", " - io_uring: fix possible deadlock in io_register_iowq_max_workers()", " - vfio: Create vfio_fs_type with inode per device", " - vfio/pci: Use unmap_mapping_range()", " - parport: amiga: Mark driver struct with __refdata to prevent section", " mismatch", " - drm: renesas: shmobile: Call drm_atomic_helper_shutdown() at shutdown time", " - vfio/pci: Insert full vma on mmap'd MMIO fault", " - ALSA: hda: cs35l41: Support Lenovo Thinkbook 16P Gen 5", " - ALSA: hda: cs35l41: Support Lenovo Thinkbook 13x Gen 4", " - ALSA: hda/realtek: Support Lenovo Thinkbook 13x Gen 4", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", " - drm/amd/display: change dram_clock_latency to 34us for dcn35", " - closures: Change BUG_ON() to WARN_ON()", " - ASoC: codecs: ES8326: Solve headphone detection issue", " - ASoC: Intel: avs: Fix route override", " - net: mvpp2: fill-in dev_port attribute", " - btrfs: scrub: handle RST lookup error correctly", " - clk: qcom: apss-ipq-pll: remove 'config_ctl_hi_val' from Stromer pll configs", " - drm/amd/display: Update efficiency bandwidth for dcn351", " - drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport", " - btrfs: fix uninitialized return value in the ref-verify tool", " - spi: davinci: Unset POWERDOWN bit when releasing resources", " - mm: page_ref: remove folio_try_get_rcu()", " - ALSA: hda: cs35l41: Fix swapped l/r audio channels for Lenovo ThinBook 13x", " Gen4", " - netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume()", " - Upstream stable to v6.6.42, v6.9.11", " * CVE-2024-27022", " - Revert \"Revert \"fork: defer linking file vma until vma is fully", " initialized\"\"", " * UBSAN: array-index-out-of-bounds in /build/linux-Z1RxaK/linux-", " 6.8.0/drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/processpptables.c:124", " 9:61 (LP: #2078041)", " - drm/amdgpu/pptable: convert some variable sized arrays to [] style", " - drm/amdgpu: convert some variable sized arrays to [] style", " - drm/amdgpu/pptable: Fix UBSAN array-index-out-of-bounds", " * alsa: Headphone and Speaker couldn't output sound intermittently", " (LP: #2077690)", " - ALSA: hda/realtek - Fixed ALC256 headphone no sound", " - ALSA: hda/realtek - FIxed ALC285 headphone no sound", " * Fix ethernet performance on JSL and EHL (LP: #2077858)", " - intel_idle: Disable promotion to C1E on Jasper Lake and Elkhart Lake", " * Noble update: upstream stable patchset 2024-08-29 (LP: #2078289)", " - Revert \"usb: xhci: prevent potential failure in handle_tx_event() for", " Transfer events without TRB\"", " - Compiler Attributes: Add __uninitialized macro", " - mm: prevent derefencing NULL ptr in pfn_section_valid()", " - scsi: ufs: core: Fix ufshcd_clear_cmd racing issue", " - scsi: ufs: core: Fix ufshcd_abort_one racing issue", " - vfio/pci: Init the count variable in collecting hot-reset devices", " - cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop", " - cachefiles: stop sending new request when dropping object", " - cachefiles: cancel all requests for the object that is being dropped", " - cachefiles: wait for ondemand_object_worker to finish when dropping object", " - cachefiles: cyclic allocation of msg_id to avoid reuse", " - cachefiles: add missing lock protection when polling", " - dsa: lan9303: Fix mapping between DSA port number and PHY address", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - net: bcmasp: Fix error code in probe()", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - bpf: Fix too early release of tcx_entry", " - net: phy: microchip: lan87xx: reinit PHY after cable test", " - skmsg: Skip zero length skb in sk_msg_recvmsg", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: fix rc7's __skb_datagram_iter()", " - i40e: Fix XDP program unloading while removing the driver", " - net: ethernet: lantiq_etop: fix double free in detach", " - bpf: fix order of args in call to bpf_map_kvcalloc", " - bpf: make timer data struct more generic", " - bpf: replace bpf_timer_init with a generic helper", " - bpf: Fail bpf_timer_cancel when callback is being cancelled", " - net: ethernet: mtk-star-emac: set mac_managed_pm when probing", " - ppp: reject claimed-as-LCP but actually malformed packets", " - ethtool: netlink: do not return SQI value if link is down", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - arm64: dts: qcom: sc8180x: Fix LLCC reg property again", " - firmware: cs_dsp: Fix overflow checking of wmfw header", " - firmware: cs_dsp: Return error if block header overflows file", " - firmware: cs_dsp: Validate payload length before processing block", " - firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers", " - ASoC: SOF: Intel: hda: fix null deref on system suspend entry", " - firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: replace cpt slot with lf id on reg write", " - octeontx2-af: fix a issue with cpt_lf_alloc mailbox", " - octeontx2-af: fix detection of IP layer", " - octeontx2-af: fix issue with IPv6 ext match for RSS", " - octeontx2-af: fix issue with IPv4 match for RSS", " - cifs: fix setting SecurityFlags to true", " - Revert \"sched/fair: Make sure to try to detach at least one movable task\"", " - tcp: avoid too many retransmit packets", " - net: ks8851: Fix deadlock with the SPI chip variant", " - net: ks8851: Fix potential TX stall after interface reopen", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: serial: mos7840: fix crash on resume", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: dwc3: pci: add support for the Intel Panther Lake", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - misc: microchip: pci1xxxx: Fix return value of nvmem callbacks", " - hpet: Support 32-bit userspace", " - xhci: always resume roothubs if xHC was reset during resume", " - s390/mm: Add NULL pointer check to crst_table_free() base_crst_free()", " - mm: vmalloc: check if a hash-index is in cpu_possible_mask", " - mm/filemap: skip to create PMD-sized page cache if needed", " - mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray", " - ksmbd: discard write access to the directory open", " - iio: trigger: Fix condition for own trigger", " - arm64: dts: qcom: sa8775p: Correct IRQ number of EL2 non-secure physical", " timer", " - arm64: dts: qcom: sc8280xp-x13s: fix touchscreen power on", " - nvmem: rmem: Fix return value of rmem_read()", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - nvmem: core: only change name to fram for current attribute", " - platform/x86: toshiba_acpi: Fix array out-of-bounds access", " - tty: serial: ma35d1: Add a NULL check for of_node", " - ALSA: hda/realtek: add quirk for Clevo V5[46]0TU", " - ALSA: hda/realtek: Enable Mute LED on HP 250 G7", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - Fix userfaultfd_api to return EINVAL as expected", " - pmdomain: qcom: rpmhpd: Skip retention level for Power Domains", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - cpufreq: ACPI: Mark boost policy as enabled when setting boost", " - cpufreq: Allow drivers to advertise boost enabled", " - wireguard: selftests: use acpi=off instead of -no-acpi for recent QEMU", " - wireguard: allowedips: avoid unaligned 64-bit memory accesses", " - wireguard: queueing: annotate intentional data race in cpu round robin", " - wireguard: send: annotate intentional data race in checking empty queue", " - misc: fastrpc: Fix DSP capabilities request", " - misc: fastrpc: Avoid updating PD type for capability request", " - misc: fastrpc: Copy the complete capability structure to user", " - misc: fastrpc: Fix memory leak in audio daemon attach operation", " - misc: fastrpc: Fix ownership reassignment of remote heap", " - misc: fastrpc: Restrict untrusted app to attach to privileged PD", " - mm/shmem: disable PMD-sized page cache if needed", " - mm/damon/core: merge regions aggressively when max_nr_regions is unmet", " - selftests/net: fix gro.c compilation failure due to non-existent", " opt_ipproto_off", " - ext4: avoid ptr null pointer dereference", " - sched: Move psi_account_irqtime() out of update_rq_clock_task() hotpath", " - i2c: rcar: bring hardware to known state when probing", " - i2c: mark HostNotify target address as used", " - i2c: rcar: ensure Gen3+ reset does not disturb local targets", " - i2c: testunit: avoid re-issued work after read message", " - i2c: rcar: clear NO_RXDMA flag after resetting", " - x86/bhi: Avoid warning in #DB handler due to BHI mitigation", " - kbuild: Make ld-version.sh more robust against version string changes", " - spi: axi-spi-engine: fix sleep calculation", " - minixfs: Fix minixfs_rename with HIGHMEM", " - bpf: Defer work in bpf_timer_cancel_and_free", " - netfilter: nf_tables: prefer nft_chain_validate", " - arm64: dts: qcom: x1e80100-*: Allocate some CMA buffers", " - arm64: dts: qcom: sm6115: add iommu for sdhc_1", " - arm64: dts: qcom: qdu1000: Fix LLCC reg property", " - net: ethtool: Fix RSS setting", " - nilfs2: fix kernel bug on rename operation of broken directory", " - cachestat: do not flush stats in recency check", " - mm: fix crashes from deferred split racing folio migration", " - nvmem: core: limit cell sysfs permissions to main attribute ones", " - serial: imx: ensure RTS signal is not left active after shutdown", " - mmc: sdhci: Fix max_seg_size for 64KiB PAGE_SIZE", " - mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length", " - mm/readahead: limit page cache size in page_cache_ra_order()", " - Revert \"dt-bindings: cache: qcom,llcc: correct QDU1000 reg entries\"", " - sched/deadline: Fix task_struct reference leak", " - Upstream stable to v6.6.40, v6.6.41, v6.9.10", " * [SRU][HPE 24.04] Intel FVL NIC FW flash fails with inbox driver, causing", " driver not detected (LP: #2076675) // Noble update: upstream stable patchset", " 2024-08-29 (LP: #2078289)", " - i40e: fix: remove needless retries of NVM update", " * CVE-2024-41022", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " * Deadlock occurs while suspending md raid (LP: #2073695)", " - md: change the return value type of md_write_start to void", " - md: fix deadlock between mddev_suspend and flush bio", " * Lenovo X12 Detachable Gen 2 unresponsive under light load (LP: #2076361)", " - drm/i915: Enable Wa_16019325821", " - drm/i915/guc: Add support for w/a KLVs", " - drm/i915/guc: Enable Wa_14019159160", " * Regression: unable to reach low idle states on Tiger Lake (LP: #2072679)", " - SAUCE: PCI: ASPM: Allow OS to configure ASPM where BIOS is incapable of", " - SAUCE: PCI: vmd: Let OS control ASPM for devices under VMD domain", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600)", " - locking/mutex: Introduce devm_mutex_init()", " - leds: an30259a: Use devm_mutex_init() for mutex initialization", " - crypto: hisilicon/debugfs - Fix debugfs uninit process issue", " - drm/lima: fix shared irq handling on driver remove", " - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - selftests/bpf: adjust dummy_st_ops_success to detect additional error", " - selftests/bpf: do not pass NULL for non-nullable params in dummy_st_ops", " - selftests/bpf: dummy_st_ops should reject 0 for non-nullable params", " - RISC-V: KVM: Fix the initial sample period value", " - crypto: aead,cipher - zeroize key buffer after use", " - media: mediatek: vcodec: Only free buffer VA that is not NULL", " - drm/amdgpu: Fix uninitialized variable warnings", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Check index msg_id before read or write", " - drm/amd/display: Check pipe offset before setting vblank", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - drm/amd/display: Fix uninitialized variables in DM", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amdgpu: fix the warning about the expression (int)size - len", " - media: dw2102: Don't translate i2c read into write", " - riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - wifi: mt76: replace skb_put with skb_put_zero", " - wifi: mt76: mt7996: add sanity checks for background radar trigger", " - thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - kunit: Fix timeout message", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - selftests/net: fix uninitialized variables", " - igc: fix a log entry using uninitialized netdev", " - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD", " - serial: imx: Raise TX trigger level to 8", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation", " warning", " - cdrom: rearrange last_media_change check to avoid unintentional overflow", " - tools/power turbostat: Remember global max_die_id", " - vhost: Use virtqueue mutex for swapping worker", " - vhost: Release worker mutex during flushes", " - vhost_task: Handle SIGKILL by flushing work and exiting", " - mac802154: fix time calculation in ieee802154_configure_durations()", " - net: phy: phy_device: Fix PHY LED blinking code comment", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - net/mlx5: E-switch, Create ingress ACL when needed", " - net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup()", " - Bluetooth: hci_event: Fix setting of unicast qos interval", " - Bluetooth: Ignore too large handle values in BIG", " - Bluetooth: ISO: Check socket flag instead of hcon", " - bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX", " - KVM: s390: fix LPSWEY handling", " - e1000e: Fix S0ix residency on corporate systems", " - gpiolib: of: fix lookup quirk for MIPS Lantiq", " - net: allow skb_datagram_iter to be called from any context", " - net: txgbe: initialize num_q_vectors for MSI/INTx interrupts", " - net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from", " __netif_rx()", " - gpio: mmio: do not calculate bgpio_bits via \"ngpios\"", " - wifi: wilc1000: fix ies_len type in connect path", " - riscv: kexec: Avoid deadlock in kexec crash path", " - netfilter: nf_tables: unconditionally flush pending work before notifier", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI", " file", " - gpiolib: of: add polarity quirk for TSC2005", " - cpu: Fix broken cmdline \"nosmp\" and \"maxcpus=0\"", " - platform/x86: toshiba_acpi: Fix quickstart quirk handling", " - Revert \"igc: fix a log entry using uninitialized netdev\"", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - mm: avoid overflows in dirty throttling logic", " - btrfs: fix adding block group to a reclaim list and the unused list during", " reclaim", " - scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add()", " - Bluetooth: hci_bcm4377: Fix msgid release", " - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - drm: panel-orientation-quirks: Add quirk for Valve Galileo", " - clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag", " - clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common", " - powerpc/pseries: Fix scv instruction crash with kexec", " - powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0", " - mtd: rawnand: Ensure ECC configuration is propagated to upper layers", " - mtd: rawnand: Fix the nand_read_data_op() early check", " - mtd: rawnand: Bypass a couple of sanity checks during NAND identification", " - mtd: rawnand: rockchip: ensure NVDDR timings are rejected", " - net: stmmac: dwmac-qcom-ethqos: fix error array size", " - arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B", " - media: dw2102: fix a potential buffer overflow", " - clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents", " - clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs", " - clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - fs/ntfs3: Mark volume as dirty if xattr is broken", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - vhost-scsi: Handle vhost_vq_work_queue failures for events", " - nvme-multipath: find NUMA path only for online numa-node", " - dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails", " - connector: Fix invalid conversion in cn_proc.h", " - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset", " - regmap-i2c: Subtract reg size from max_write", " - platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6\"", " tablet", " - platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro", " - nvmet: fix a possible leak when destroy a ctrl during qp establishment", " - kbuild: fix short log for AS in link-vmlinux.sh", " - nfc/nci: Add the inconsistency check between the input data length and count", " - spi: cadence: Ensure data lines set to low during dummy-cycle period", " - ALSA: ump: Set default protocol when not given explicitly", " - drm/amdgpu: silence UBSAN warning", " - null_blk: Do not allow runt zone with zone capacity smaller then zone size", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - leds: mlxreg: Use devm_mutex_init() for mutex initialization", " - net: dql: Avoid calling BUG() when WARN() is enough", " - drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf", " - bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable", " - drm/amdgpu: fix double free err_addr pointer warnings", " - drm/amd/display: Fix overlapping copy within dml_core_mode_programming", " - drm/amd/display: update pipe topology log to support subvp", " - drm/amd/display: Do not return negative stream id for array", " - drm/amd/display: ASSERT when failing to find index by plane/stream id", " - usb: xhci: prevent potential failure in handle_tx_event() for Transfer", " events without TRB", " - media: i2c: st-mipid02: Use the correct div function", " - media: tc358746: Use the correct div_ function", " - crypto: hisilicon/sec2 - fix for register offset", " - s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings", " - s390/pkey: Wipe copies of clear-key structures on failure", " - s390/pkey: Wipe copies of protected- and secure-keys", " - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values", " - wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP", " - net: txgbe: remove separate irq request for MSI and INTx", " - net: txgbe: add extra handle for MSI/INTx into thread irq handle", " - net: txgbe: free isb resources at the right time", " - btrfs: always do the basic checks for btrfs_qgroup_inherit structure", " - net: phy: aquantia: add missing include guards", " - drm/fbdev-generic: Fix framebuffer on big endian devices", " - net: stmmac: enable HW-accelerated VLAN stripping for gmac4 only", " - net: rswitch: Avoid use-after-free in rswitch_poll()", " - ice: use proper macro for testing bit", " - drm/xe/mcr: Avoid clobbering DSS steering", " - tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO.", " - btrfs: zoned: fix calc_available_free_space() for zoned mode", " - btrfs: fix folio refcount in __alloc_dummy_extent_buffer()", " - Bluetooth: Add quirk to ignore reserved PHY bits in LE Extended Adv Report", " - drm/xe: fix error handling in xe_migrate_update_pgtables", " - drm/ttm: Always take the bo delayed cleanup path for imported bos", " - fs: don't misleadingly warn during thaw operations", " - drm/amdkfd: Let VRAM allocations go to GTT domain on small APUs", " - drm/amdgpu: correct hbm field in boot status", " - Upstream stable to v6.6.38, v6.6.39, v6.9.9", " * Panels show garbage or flickering when i915.psr2 enabled (LP: #2069993)", " - SAUCE: drm/i915/display/psr: add a psr2 disable quirk table", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x4d_0x10_0x93_0x15", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x8b_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x78_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x8c_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x06_0xaf_0x9a_0xf9", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x4d_0x10_0x8f_0x15", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x06_0xaf_0xa3_0xc3", " * Random flickering with Intel i915 (Gen9 GPUs in 6th-8th gen CPUs) on Linux", " 6.8 (LP: #2062951)", " - SAUCE: iommu/intel: disable DMAR for SKL integrated gfx", " * [SRU][22.04.5]: mpi3mr driver update (LP: #2073583)", " - scsi: mpi3mr: HDB allocation and posting for hardware and firmware buffers", " - scsi: mpi3mr: Trigger support", " - scsi: mpi3mr: Add ioctl support for HDB", " - scsi: mpi3mr: Support PCI Error Recovery callback handlers", " - scsi: mpi3mr: Prevent PCI writes from driver during PCI error recovery", " - scsi: mpi3mr: Driver version update", " * Fix power consumption while using HW accelerated video decode on AMD", " platforms (LP: #2073282)", " - drm/amdgpu/vcn: identify unified queue in sw init", " - drm/amdgpu/vcn: not pause dpg for unified queue", " * Noble update: upstream stable patchset 2024-08-09 (LP: #2076435)", " - usb: typec: ucsi: Never send a lone connector change ack", " - usb: typec: ucsi: Ack also failed Get Error commands", " - Input: ili210x - fix ili251x_read_touch_data() return value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: use dedicated pinctrl type for RK3328", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - MIPS: pci: lantiq: restore reset gpio polarity", " - ASoC: rockchip: i2s-tdm: Fix trcm mode by setting clock on right mclk", " - ASoC: mediatek: mt8183-da7219-max98357: Fix kcontrol name collision", " - ASoC: atmel: atmel-classd: Re-add dai_link->platform to fix card init", " - workqueue: Increase worker desc's length to 32", " - ASoC: q6apm-lpass-dai: close graph on prepare errors", " - bpf: Add missed var_off setting in set_sext32_default_val()", " - bpf: Add missed var_off setting in coerce_subreg_to_size_sx()", " - s390/pci: Add missing virt_to_phys() for directed DIBV", " - ASoC: amd: acp: add a null check for chip_pdev structure", " - ASoC: amd: acp: remove i2s configuration check in acp_i2s_probe()", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - openvswitch: get related ct labels from its master if it is not confirmed", " - mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems", " - ibmvnic: Free any outstanding tx skbs during scrq reset", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - net: dsa: microchip: use collision based back pressure mode", " - ice: Rebuild TC queues on VSI queue reconfiguration", " - xdp: Remove WARN() from __xdp_reg_mem_model()", " - netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when", " CONFIG_SYSCTL=n", " - btrfs: use NOFS context when getting inodes during logging and log replay", " - Fix race for duplicate reqsk on identical SYN", " - ALSA: seq: Fix missing channel at encoding RPN/NRPN MIDI2 messages", " - net: dsa: microchip: fix wrong register write when masking interrupt", " - sparc: fix old compat_sys_select()", " - sparc: fix compat recv/recvfrom syscalls", " - parisc: use correct compat recv/recvfrom syscalls", " - powerpc: restore some missing spu syscalls", " - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO", " - ALSA: seq: Fix missing MSB in MIDI2 SPP conversion", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - net: mana: Fix possible double free in error handling path", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - vduse: validate block features only with block devices", " - vduse: Temporarily fail if control queue feature requested", " - x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - wifi: ieee80211: check for NULL in ieee80211_mle_size_ok()", " - bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode", " - RDMA/restrack: Fix potential invalid address access", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - crypto: ecdh - explicitly zeroize private_key", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - irqchip/loongson: Select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP for", " IRQ_LOONGARCH_CPU", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - gfs2: Fix NULL pointer dereference in gfs2_log_flush", " - drm/radeon/radeon_display: Decrease the size of allocated memory", " - nvme: fixup comment for nvme RDMA Provider Type", " - drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA", " - gpio: davinci: Validate the obtained number of IRQs", " - RISC-V: fix vector insn load/store width mask", " - drm/amdgpu: Fix pci state save during mode-1 reset", " - riscv: stacktrace: convert arch_stack_walk() to noinstr", " - gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)", " - randomize_kstack: Remove non-functional per-arch entropy filtering", " - x86: stop playing stack games in profile_pc()", " - parisc: use generic sys_fanotify_mark implementation", " - Revert \"MIPS: pci: lantiq: restore reset gpio polarity\"", " - pinctrl: qcom: spmi-gpio: drop broken pm8008 support", " - ocfs2: fix DIO failure due to insufficient transaction credits", " - nfs: drop the incorrect assertion in nfs_swap_rw()", " - mm: fix incorrect vbq reference in purge_fragmented_block", " - mmc: sdhci-pci-o2micro: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci-brcmstb: check R1_STATUS for erase/trim/discard", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: xilinx-ams: Don't include ams_ctrl_channels in scan_mask", " - counter: ti-eqep: enable clock at probe", " - kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates", " - kbuild: Fix build target deb-pkg: ln: failed to create hard link", " - i2c: testunit: don't erase registers after STOP", " - i2c: testunit: discard write requests while old command is running", " - ata: libata-core: Fix null pointer dereference on error", " - ata,scsi: libata-core: Do not leak memory for ata_port struct members", " - iio: adc: ad7266: Fix variable checking bug", " - iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: gadget: printer: fix races against disable", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to", " avoid deadlock", " - usb: gadget: aspeed_udc: fix device address configuration", " - usb: typec: ucsi: glink: fix child node release in probe function", " - usb: ucsi: stm32: fix command completion handling", " - usb: dwc3: core: Add DWC31 version 2.00a controller", " - usb: dwc3: core: Workaround for CSR read timeout", " - Revert \"serial: core: only stop transmit when HW fifo is empty\"", " - serial: 8250_omap: Implementation of Errata i2310", " - serial: imx: set receiver level before starting uart", " - serial: core: introduce uart_port_tx_limited_flags()", " - serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - PCI/MSI: Fix UAF in msi_capability_init", " - cpufreq: intel_pstate: Use HWP to initialize ITMT if CPPC is missing", " - irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node()", " - cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()", " - irqchip/loongson-liointc: Set different ISRs for different cores", " - kbuild: Install dtb files as 0644 in Makefile.dtbinst", " - sh: rework sync_file_range ABI", " - btrfs: zoned: fix initial free space detection", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/drm_file: Fix pid refcounting race", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/fbdev-dma: Only set smem_start is enable per module option", " - drm/amdgpu: avoid using null object of framebuffer", " - drm/i915/gt: Fix potential UAF by revoke of fence registers", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - drm/amd/display: Send DP_TOTAL_LTTPR_CNT during detection if LTTPR is", " present", " - drm/amdgpu/atomfirmware: fix parsing of vram_info", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - can: mcp251xfd: fix infinite loop when xmit fails", " - ata: ahci: Clean up sysfs file on error", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - syscalls: fix compat_sys_io_pgetevents_time64 usage", " - syscalls: fix sys_fanotify_mark prototype", " - Revert \"cpufreq: amd-pstate: Fix the inconsistency in max frequency units\"", " - mm/page_alloc: Separate THP PCP into movable and non-movable categories", " - arm64: dts: rockchip: Fix SD NAND and eMMC init on rk3308-rock-pi-s", " - arm64: dts: rockchip: Rename LED related pinctrl nodes on rk3308-rock-pi-s", " - arm64: dts: rockchip: Fix the value of `dlg,jack-det-rate` mismatch on", " rk3399-gru", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: make poweroff(8) work on Radxa ROCK 5A", " - arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - cxl/region: Move cxl_dpa_to_region() work to the region driver", " - cxl/region: Avoid null pointer dereference in region lookup", " - cxl/region: check interleave capability", " - serial: imx: only set receiver level if it is zero", " - serial: 8250_omap: Fix Errata i2310 with RX FIFO level check", " - tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()", " - pwm: stm32: Improve precision of calculation in .apply()", " - pwm: stm32: Fix for settings using period > UINT32_MAX", " - pwm: stm32: Calculate prescaler with a division instead of a loop", " - pwm: stm32: Refuse too small period requests", " - ASoC: cs42l43: Increase default type detect time and button delay", " - ASoC: amd: acp: move chip->flag variable assignment", " - bonding: fix incorrect software timestamping report", " - mlxsw: pci: Fix driver initialization with Spectrum-4", " - vxlan: Pull inner IP header in vxlan_xmit_one().", " - ASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link", " - af_unix: Stop recv(MSG_PEEK) at consumed OOB skb.", " - af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head.", " - af_unix: Don't stop recv() at consumed ex-OOB skb.", " - af_unix: Fix wrong ioctl(SIOCATMARK) when consumed OOB skb is at the head.", " - bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()", " - bpf: Take return from set_memory_rox() into account with", " bpf_jit_binary_lock_ro()", " - drm/xe: Fix potential integer overflow in page size calculation", " - drm/xe: Add a NULL check in xe_ttm_stolen_mgr_init", " - drm/amd/display: correct hostvm flag", " - drm/amd/display: Skip pipe if the pipe idx not set properly", " - bpf: Add a check for struct bpf_fib_lookup size", " - drm/xe/xe_devcoredump: Check NULL before assignments", " - iommu/arm-smmu-v3: Do not allow a SVA domain to be set on the wrong PASID", " - evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509", " - drm/xe: Check pat.ops before dumping PAT settings", " - nvmet: do not return 'reserved' for empty TSAS values", " - nvmet: make 'tsas' attribute idempotent for RDMA", " - iommu/amd: Fix GT feature enablement again", " - gpiolib: cdev: Ignore reconfiguration without direction", " - kasan: fix bad call to unpoison_slab_object", " - mm/memory: don't require head page for do_set_pmd()", " - SUNRPC: Fix backchannel reply, again", " - Revert \"usb: gadget: u_ether: Re-attach netif device to mirror detachment\"", " - Revert \"usb: gadget: u_ether: Replace netif_stop_queue with", " netif_device_detach\"", " - tty: serial: 8250: Fix port count mismatch with the device", " - tty: mxser: Remove __counted_by from mxser_board.ports[]", " - nvmet-fc: Remove __counted_by from nvmet_fc_tgt_queue.fod[]", " - ata: libata-core: Add ATA_HORKAGE_NOLPM for all Crucial BX SSD1 models", " - bcachefs: Fix sb_field_downgrade validation", " - bcachefs: Fix sb-downgrade validation", " - bcachefs: Fix bch2_sb_downgrade_update()", " - bcachefs: Fix setting of downgrade recovery passes/errors", " - bcachefs: btree_gc can now handle unknown btrees", " - pwm: stm32: Fix calculation of prescaler", " - pwm: stm32: Fix error message to not describe the previous error path", " - cxl/region: Convert cxl_pmem_region_alloc to scope-based resource management", " - cxl/mem: Fix no cxl_nvd during pmem region auto-assembling", " - arm64: dts: rockchip: Fix the i2c address of es8316 on Cool Pi 4B", " - netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid", " - netfs: Fix netfs_page_mkwrite() to flush conflicting data, not wait", " - Upstream stable to v6.6.37, v6.9.8", " * [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible", " (LP: #2074380)", " - s390/cpum_cf: make crypto counters upward compatible across machine types", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-48.48.1~22.04.2", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2082433, 2082434, 2074082, 2082437, 2077470, 2078834, 2077729, 2076866, 2076147, 2070329, 2076406, 2076190, 2077321, 2076402, 2077396, 2060039, 2079945, 2078304, 2078041, 2077690, 2077858, 2078289, 2076675, 2078289, 2073695, 2076361, 2072679, 2077600, 2069993, 2062951, 2073583, 2073282, 2076435, 2074380 ], "author": "Emil Renner Berthing ", "date": "Wed, 16 Oct 2024 20:35:45 +0200" }, { "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-47.47.1~22.04.1 -proposed tracker", " (LP: #2082114)", "", " [ Ubuntu: 6.8.0-47.47.1 ]", "", " * noble/linux-riscv: 6.8.0-47.47.1 -proposed tracker (LP: #2082115)", " [ Ubuntu: 6.8.0-47.47 ]", " * noble/linux: 6.8.0-47.47 -proposed tracker (LP: #2082118)", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-47.47.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2082114, 2082115, 2082118 ], "author": "Emil Renner Berthing ", "date": "Wed, 09 Oct 2024 17:06:48 +0200" }, { "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42224", "url": "https://ubuntu.com/security/CVE-2024-42224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42154", "url": "https://ubuntu.com/security/CVE-2024-42154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42159", "url": "https://ubuntu.com/security/CVE-2024-42159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-45.45.1~22.04.1 -proposed tracker", " (LP: #2078096)", "", " [ Ubuntu: 6.8.0-45.45.1 ]", "", " * noble/linux-riscv: 6.8.0-45.45.1 -proposed tracker (LP: #2078097)", " [ Ubuntu: 6.8.0-45.45 ]", " * noble/linux: 6.8.0-45.45 -proposed tracker (LP: #2078100)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2024.08.05)", " * Noble update: upstream stable patchset 2024-08-09 (LP: #2076435) //", " CVE-2024-41009", " - bpf: Fix overrunning reservations in ringbuf", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600) //", " CVE-2024-42224", " - net: dsa: mv88e6xxx: Correct check for empty list", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600) //", " CVE-2024-42154", " - tcp_metrics: validate source addr length", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", " * CVE-2024-42159", " - scsi: mpi3mr: Sanitise num_phys", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078096, 2078097, 2078100, 1786013, 2076435, 2077600, 2077600 ], "author": "Roxana Nicolescu ", "date": "Mon, 02 Sep 2024 11:50:42 +0200" } ], "notes": "linux-modules-6.8.0-49-generic version '6.8.0-49.49.1~22.04.1' (source package linux-riscv-6.8 version '6.8.0-49.49.1~22.04.1') was added. linux-modules-6.8.0-49-generic version '6.8.0-49.49.1~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-44-generic. As such we can use the source package version of the removed package, '6.8.0-44.44.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-riscv-6.8-headers-6.8.0-49", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-44.44.1~22.04.1", "version": null }, "to_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-49.49.1~22.04.1", "version": "6.8.0-49.49.1~22.04.1" }, "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" }, { "cve": "CVE-2024-43858", "url": "https://ubuntu.com/security/CVE-2024-43858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree", "cve_priority": "medium", "cve_public_date": "2024-08-17 10:15:00 UTC" }, { "cve": "CVE-2024-42280", "url": "https://ubuntu.com/security/CVE-2024-42280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-42271", "url": "https://ubuntu.com/security/CVE-2024-42271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-27022", "url": "https://ubuntu.com/security/CVE-2024-27022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-41022", "url": "https://ubuntu.com/security/CVE-2024-41022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The \"instance\" variable needs to be signed for the error handling to work.", "cve_priority": "medium", "cve_public_date": "2024-07-29 14:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" }, { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42224", "url": "https://ubuntu.com/security/CVE-2024-42224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42154", "url": "https://ubuntu.com/security/CVE-2024-42154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42159", "url": "https://ubuntu.com/security/CVE-2024-42159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2085938, 2085939, 2085942, 2085495, 2082433, 2082434, 2074082, 2082437, 2077470, 2078834, 2077729, 2076866, 2076147, 2070329, 2076406, 2076190, 2077321, 2076402, 2077396, 2060039, 2079945, 2078304, 2078041, 2077690, 2077858, 2078289, 2076675, 2078289, 2073695, 2076361, 2072679, 2077600, 2069993, 2062951, 2073583, 2073282, 2076435, 2074380, 2082114, 2082115, 2082118, 2078096, 2078097, 2078100, 1786013, 2076435, 2077600, 2077600 ], "changes": [ { "cves": [ { "cve": "CVE-2024-46800", "url": "https://ubuntu.com/security/CVE-2024-46800", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 (\"netem: fix return value if duplicate enqueue fails\") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-43882", "url": "https://ubuntu.com/security/CVE-2024-43882", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, \"chmod o-x,u+s target\" makes \"target\" executable only by uid \"root\" and gid \"cdrom\", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group \"cdrom\" membership can get the permission to execute \"target\" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of \"only cdrom group members can setuid to root\". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal.", "cve_priority": "high", "cve_public_date": "2024-08-21 01:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-49.49.1~22.04.1 -proposed tracker", " (LP: #2085938)", "", " [ Ubuntu: 6.8.0-49.49.1 ]", "", " * noble/linux-riscv: 6.8.0-49.49.1 -proposed tracker (LP: #2085939)", " [ Ubuntu: 6.8.0-49.49 ]", " * noble/linux: 6.8.0-49.49 -proposed tracker (LP: #2085942)", " * CVE-2024-46800", " - sch/netem: fix use after free in netem_dequeue", " * mm/folios: xfs hangs with hung task timeouts with corrupted folio pointer", " lists (LP: #2085495)", " - lib/xarray: introduce a new helper xas_get_order", " - mm/filemap: return early if failed to allocate memory for split", " - mm/filemap: optimize filemap folio adding", " * CVE-2024-43882", " - exec: Fix ToCToU between perm check and set-uid/gid usage", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-49.49.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2085938, 2085939, 2085942, 2085495 ], "author": "Emil Renner Berthing ", "date": "Thu, 07 Nov 2024 13:26:02 +0100" }, { "cves": [ { "cve": "CVE-2024-43858", "url": "https://ubuntu.com/security/CVE-2024-43858", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: jfs: Fix array-index-out-of-bounds in diFree", "cve_priority": "medium", "cve_public_date": "2024-08-17 10:15:00 UTC" }, { "cve": "CVE-2024-42280", "url": "https://ubuntu.com/security/CVE-2024-42280", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-42271", "url": "https://ubuntu.com/security/CVE-2024-42271", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-27022", "url": "https://ubuntu.com/security/CVE-2024-27022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fork: defer linking file vma until vma is fully initialized Thorvald reported a WARNING [1]. And the root cause is below race: CPU 1 CPU 2 fork hugetlbfs_fallocate dup_mmap hugetlbfs_punch_hole i_mmap_lock_write(mapping); vma_interval_tree_insert_after -- Child vma is visible through i_mmap tree. i_mmap_unlock_write(mapping); hugetlb_dup_vma_private -- Clear vma_lock outside i_mmap_rwsem! i_mmap_lock_write(mapping); hugetlb_vmdelete_list vma_interval_tree_foreach hugetlb_vma_trylock_write -- Vma_lock is cleared. tmp->vm_ops->open -- Alloc new vma_lock outside i_mmap_rwsem! hugetlb_vma_unlock_write -- Vma_lock is assigned!!! i_mmap_unlock_write(mapping); hugetlb_dup_vma_private() and hugetlb_vm_op_open() are called outside i_mmap_rwsem lock while vma lock can be used in the same time. Fix this by deferring linking file vma until vma is fully initialized. Those vmas should be initialized first before they can be used.", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-41022", "url": "https://ubuntu.com/security/CVE-2024-41022", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() The \"instance\" variable needs to be signed for the error handling to work.", "cve_priority": "medium", "cve_public_date": "2024-07-29 14:15:00 UTC" }, { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-48.48.1~22.04.2 -proposed tracker", " (LP: #2082433)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] riscv: add libtraceevent build dependencies", "", " [ Ubuntu: 6.8.0-48.48.1 ]", "", " * noble/linux-riscv: 6.8.0-48.48.1 -proposed tracker (LP: #2082434)", " * Enable Microchip PIC64GX Curiosity Kit (LP: #2074082)", " - dt-bindings: clock: mpfs: add more MSSPLL output definitions", " - dt-bindings: can: mpfs: add missing required clock", " - clk: microchip: mpfs: split MSSPLL in two", " - clk: microchip: mpfs: setup for using other mss pll outputs", " - clk: microchip: mpfs: add missing MSSPLL outputs", " - clk: microchip: mpfs: convert MSSPLL outputs to clk_divider", " - riscv: dts: microchip: add missing CAN bus clocks", " - SAUCE: dt-bindings: can: mpfs: add PIC64GX CAN compatibility", " - SAUCE: dt-bindings: usb: add PIC64GX compatibility to mpfs-musb driver", " - SAUCE: dt-bindings: mbox: add PIC64GX mailbox compatibility to MPFS mailbox", " - SAUCE: dt-bindings: spi: add PIC64GX SPI/QSPI compatibility to MPFS SPI/QSPI", " bindings", " - SAUCE: dt-bindings: gpio: mpfs-gpio: Add PIC64GX GPIO compatibility", " - SAUCE: dt-bindings: cache: sifive,ccache0: add a PIC64GX compatible", " - SAUCE: dt-bindings: clock: mpfs-ccc: Add PIC64GX compatibility", " - SAUCE: dt-bindings: clock: mpfs-clkcfg: Add PIC64GX compatibility", " - SAUCE: dt-bindings: dma: sifive pdma: Add PIC64GX to compatibles", " - SAUCE: dt-bindings: i2c: microchip: corei2c: Add PIC64GX as compatible with", " driver", " - SAUCE: dt-bindings: mmc: cdns: document Microchip PIC64GX MMC/SDHCI", " controller", " - SAUCE: dt-bindings: net: cdns,macb: Add PIC64GX compatibility", " - SAUCE: dt-bindings: rtc: mfps-rtc: Add PIC64GX compatibility", " - SAUCE: dt-bindings: soc: microchip: mpfs-sys-controller: Add PIC64GX", " compatibility", " - SAUCE: dt-bindings: riscv: microchip: document the PIC64GX curiosity kit", " - SAUCE: dt-bindings: mmc: cdns,sdhci: ref sdhci-common.yaml", " - SAUCE: dt-bindings: timer: sifive,clint: add PIC64GX compatibility", " - SAUCE: dt-bindings: interrupt-controller: sifive,plic: Add PIC64GX", " compatibility", " - SAUCE: riscv: dts: microchip: add PIC64GX Curiosity Kit dts", " [ Ubuntu: 6.8.0-48.48 ]", " * noble/linux: 6.8.0-48.48 -proposed tracker (LP: #2082437)", " * [SRU][Noble] Bad EPP defaults cause performance regressions on select Intel", " CPUs (LP: #2077470)", " - x86/cpu/vfm: Update arch/x86/include/asm/intel-family.h", " - cpufreq: intel_pstate: Allow model specific EPPs", " - cpufreq: intel_pstate: Update default EPPs for Meteor Lake", " - cpufreq: intel_pstate: Switch to new Intel CPU model defines", " - cpufreq: intel_pstate: Update Meteor Lake EPPs", " - cpufreq: intel_pstate: Use Meteor Lake EPPs for Arrow Lake", " - cpufreq: intel_pstate: Update Balance performance EPP for Emerald Rapids", " * power: Enable intel_rapl driver (LP: #2078834)", " - powercap: intel_rapl: Add support for ArrowLake-H platform", " * x86/vmware: Add TDX hypercall support (LP: #2077729)", " - x86/vmware: Introduce VMware hypercall API", " - x86/vmware: Add TDX hypercall support", " * Guest crashes post migration with migrate_misplaced_folio+0x4cc/0x5d0", " (LP: #2076866)", " - mm/mempolicy: use numa_node_id() instead of cpu_to_node()", " - mm/numa_balancing: allow migrate on protnone reference with", " MPOL_PREFERRED_MANY policy", " - mm: convert folio_estimated_sharers() to folio_likely_mapped_shared()", " - mm: factor out the numa mapping rebuilding into a new helper", " - mm: support multi-size THP numa balancing", " - mm/migrate: make migrate_misplaced_folio() return 0 on success", " - mm/migrate: move NUMA hinting fault folio isolation + checks under PTL", " - mm: fix possible OOB in numa_rebuild_large_mapping()", " * Add 'mm: hold PTL from the first PTE while reclaiming a large folio' to fix", " L2 Guest hang during LTP Test (LP: #2076147)", " - mm: hold PTL from the first PTE while reclaiming a large folio", " * KOP L2 guest fails to boot with 1 core - SMT8 topology (LP: #2070329)", " - KVM: PPC: Book3S HV nestedv2: Add DPDES support in helper library for Guest", " state buffer", " - KVM: PPC: Book3S HV nestedv2: Fix doorbell emulation", " * L2 Guest migration: continuously dumping while running NFS guest migration", " (LP: #2076406)", " - KVM: PPC: Book3S HV: Fix the set_one_reg for MMCR3", " - KVM: PPC: Book3S HV: Fix the get_one_reg of SDAR", " - KVM: PPC: Book3S HV: Add one-reg interface for DEXCR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest DEXCR in sync", " - KVM: PPC: Book3S HV: Add one-reg interface for HASHKEYR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest HASHKEYR in sync", " - KVM: PPC: Book3S HV: Add one-reg interface for HASHPKEYR register", " - KVM: PPC: Book3S HV nestedv2: Keep nested guest HASHPKEYR in sync", " * perf build disables tracepoint support (LP: #2076190)", " - [Packaging] perf: reenable libtraceevent", " * Please backport the more restrictive XSAVES deactivation for Zen1/2 arch", " (LP: #2077321)", " - x86/CPU/AMD: Improve the erratum 1386 workaround", " * Fix alsa scarlett2 driver in 6.8 (LP: #2076402)", " - ALSA: scarlett2: Move initialisation code lower in the source", " - ALSA: scarlett2: Implement handling of the ACK notification", " * rtw89: reset IDMEM mode to prevent download firmware failure (LP: #2077396)", " - wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure", " * CVE-2024-43858", " - jfs: Fix array-index-out-of-bounds in diFree", " * CVE-2024-42280", " - mISDN: Fix a use after free in hfcmulti_tx()", " * CVE-2024-42271", " - net/iucv: fix use after free in iucv_sock_close()", " * [Ubuntu-24.04] FADump with recommended crash size is making the L1 hang", " (LP: #2060039)", " - powerpc/64s/radix/kfence: map __kfence_pool at page granularity", " * Noble update: upstream stable patchset 2024-09-09 (LP: #2079945)", " - ocfs2: add bounds checking to ocfs2_check_dir_entry()", " - jfs: don't walk off the end of ealist", " - fs/ntfs3: Add a check for attr_names and oatbl", " - fs/ntfs3: Validate ff offset", " - usb: gadget: midi2: Fix incorrect default MIDI2 protocol setup", " - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400", " - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360", " - arm64: dts: qcom: qrb4210-rb2: switch I2C2 to i2c-gpio", " - arm64: dts: qcom: msm8996: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sm6350: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq6018: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm630: Disable SS instance in Parkmode for USB", " - ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused", " - ALSA: seq: ump: Skip useless ports for static blocks", " - filelock: Fix fcntl/close race recovery compat path", " - tun: add missing verification for short frame", " - tap: add missing verification for short frame", " - s390/mm: Fix VM_FAULT_HWPOISON handling in do_exception()", " - ALSA: hda/tas2781: Add new quirk for Lenovo Hera2 Laptop", " - arm64: dts: qcom: sc7180: Disable SuperSpeed instances in park mode", " - arm64: dts: qcom: sc7280: Disable SuperSpeed instances in park mode", " - arm64: dts: qcom: qrb2210-rb1: switch I2C2 to i2c-gpio", " - arm64: dts: qcom: msm8998: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: ipq8074: Disable SS instance in Parkmode for USB", " - arm64: dts: qcom: sdm845: Disable SS instance in Parkmode for USB", " - Upstream stable to v6.6.43, v6.9.12", " * Noble update: upstream stable patchset 2024-09-02 (LP: #2078304)", " - filelock: Remove locks reliably when fcntl/close race is detected", " - scsi: core: alua: I/O errors for ALUA state transitions", " - scsi: sr: Fix unintentional arithmetic wraparound", " - scsi: qedf: Don't process stag work during unload and recovery", " - scsi: qedf: Wait for stag work during unload", " - scsi: qedf: Set qed_slowpath_params to zero before use", " - efi/libstub: zboot.lds: Discard .discard sections", " - ACPI: EC: Abort address space access upon error", " - ACPI: EC: Avoid returning AE_OK on errors in address space handler", " - tools/power/cpupower: Fix Pstate frequency reporting on AMD Family 1Ah CPUs", " - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata", " - wifi: mac80211: apply mcast rate only if interface is up", " - wifi: mac80211: handle tasklet frames before stopping", " - wifi: cfg80211: fix 6 GHz scan request building", " - wifi: iwlwifi: mvm: d3: fix WoWLAN command version lookup", " - wifi: iwlwifi: mvm: remove stale STA link data during restart", " - wifi: iwlwifi: mvm: Handle BIGTK cipher in kek_kck cmd", " - wifi: iwlwifi: mvm: handle BA session teardown in RF-kill", " - wifi: iwlwifi: mvm: properly set 6 GHz channel direct probe option", " - wifi: iwlwifi: mvm: Fix scan abort handling with HW rfkill", " - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()", " - selftests: cachestat: Fix build warnings on ppc64", " - selftests/openat2: Fix build warnings on ppc64", " - selftests/futex: pass _GNU_SOURCE without a value to the compiler", " - of/irq: Factor out parsing of interrupt-map parent phandle+args from", " of_irq_parse_raw()", " - Input: silead - Always support 10 fingers", " - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input()", " - ila: block BH in ila_output()", " - arm64: armv8_deprecated: Fix warning in isndep cpuhp starting process", " - null_blk: fix validation of block size", " - kconfig: gconf: give a proper initial state to the Save button", " - kconfig: remove wrong expr_trans_bool()", " - input: Add event code for accessibility key", " - input: Add support for \"Do Not Disturb\"", " - HID: Ignore battery for ELAN touchscreens 2F2C and 4116", " - NFSv4: Fix memory leak in nfs4_set_security_label", " - nfs: propagate readlink errors in nfs_symlink_filler", " - nfs: Avoid flushing many pages with NFS_FILE_SYNC", " - nfs: don't invalidate dentries on transient errors", " - cachefiles: add consistency check for copen/cread", " - cachefiles: Set object to close if ondemand_id < 0 in copen", " - cachefiles: make on-demand read killable", " - fs/file: fix the check in find_next_fd()", " - mei: demote client disconnect warning on suspend to debug", " - iomap: Fix iomap_adjust_read_range for plen calculation", " - drm/exynos: dp: drop driver owner initialization", " - drm: panel-orientation-quirks: Add quirk for Aya Neo KUN", " - drm/mediatek: Call drm_atomic_helper_shutdown() at shutdown time", " - nvme: avoid double free special payload", " - nvmet: always initialize cqe.result", " - ALSA: hda: cs35l56: Fix lifecycle of codec pointer", " - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check", " - ALSA: hda/realtek: Support Lenovo Thinkbook 16P Gen 5", " - KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()", " - drm/vmwgfx: Fix missing HYPERVISOR_GUEST dependency", " - ALSA: hda/realtek: Add more codec ID to no shutup pins list", " - spi: Fix OCTAL mode support", " - cpumask: limit FORCE_NR_CPUS to just the UP case", " - [Config] Remove FORCE_NR_CPUS", " - selftests: openvswitch: Set value to nla flags.", " - drm/amdgpu: Indicate CU havest info to CP", " - ALSA: hda: cs35l56: Select SERIAL_MULTI_INSTANTIATE", " - mips: fix compat_sys_lseek syscall", " - Input: elantech - fix touchpad state on resume for Lenovo N24", " - Input: i8042 - add Ayaneo Kun to i8042 quirk table", " - ASoC: rt722-sdca-sdw: add silence detection register as volatile", " - Input: xpad - add support for ASUS ROG RAIKIRI PRO", " - ASoC: topology: Fix references to freed memory", " - ASoC: topology: Do not assign fields that are already set", " - bytcr_rt5640 : inverse jack detect for Archos 101 cesium", " - ALSA: dmaengine: Synchronize dma channel after drop()", " - ASoC: ti: davinci-mcasp: Set min period size using FIFO config", " - ASoC: ti: omap-hdmi: Fix too long driver name", " - ASoC: SOF: sof-audio: Skip unprepare for in-use widgets on error rollback", " - ASoC: rt722-sdca-sdw: add debounce time for type detection", " - nvme: fix NVME_NS_DEAC may incorrectly identifying the disk as EXT_LBA.", " - Input: ads7846 - use spi_device_id table", " - can: kvaser_usb: fix return value for hif_usb_send_regout", " - gpio: pca953x: fix pca953x_irq_bus_sync_unlock race", " - octeontx2-pf: Fix coverity and klockwork issues in octeon PF driver", " - s390/sclp: Fix sclp_init() cleanup on failure", " - platform/mellanox: nvsw-sn2201: Add check for platform_device_add_resources", " - platform/x86: wireless-hotkey: Add support for LG Airplane Button", " - platform/x86: lg-laptop: Remove LGEX0815 hotkey handling", " - platform/x86: lg-laptop: Change ACPI device id", " - platform/x86: lg-laptop: Use ACPI device handle when evaluating WMAB/WMBB", " - btrfs: qgroup: fix quota root leak after quota disable failure", " - ibmvnic: Add tx check to prevent skb leak", " - ALSA: PCM: Allow resume only for suspended streams", " - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx", " - ALSA: dmaengine_pcm: terminate dmaengine before synchronize", " - ASoC: amd: yc: Fix non-functional mic on ASUS M5602RA", " - net: usb: qmi_wwan: add Telit FN912 compositions", " - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and", " DEV_STATS_ADD()", " - powerpc/pseries: Whitelist dtl slub object for copying to userspace", " - powerpc/eeh: avoid possible crash when edev->pdev changes", " - scsi: libsas: Fix exp-attached device scan after probe failure scanned in", " again after probe failed", " - tee: optee: ffa: Fix missing-field-initializers warning", " - Bluetooth: hci_core: cancel all works upon hci_unregister_dev()", " - Bluetooth: btnxpuart: Enable Power Save feature on startup", " - bluetooth/l2cap: sync sock recv cb and release", " - erofs: ensure m_llen is reset to 0 if metadata is invalid", " - drm/amd/display: Add refresh rate range check", " - drm/amd/display: Account for cursor prefetch BW in DML1 mode support", " - drm/amd/display: Fix refresh rate range for some panel", " - drm/radeon: check bo_va->bo is non-NULL before using it", " - fs: better handle deep ancestor chains in is_subdir()", " - wifi: iwlwifi: properly set WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK", " - drivers/perf: riscv: Reset the counter to hpmevent mapping while starting", " cpus", " - riscv: stacktrace: fix usage of ftrace_graph_ret_addr()", " - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices", " - ksmbd: return FILE_DEVICE_DISK instead of super magic", " - ASoC: SOF: Intel: hda-pcm: Limit the maximum number of periods by", " MAX_BDL_ENTRIES", " - selftest/timerns: fix clang build failures for abs() calls", " - selftests/vDSO: fix clang build errors and warnings", " - hfsplus: fix uninit-value in copy_name", " - selftests/bpf: Extend tcx tests to cover late tcx_entry release", " - spi: mux: set ctlr->bits_per_word_mask", " - ALSA: hda: Use imply for suggesting CONFIG_SERIAL_MULTI_INSTANTIATE", " - [Config] Update CONFIG_SERIAL_MULTI_INSTANTIATE", " - cifs: fix noisy message on copy_file_range", " - Bluetooth: L2CAP: Fix deadlock", " - of/irq: Disable \"interrupt-map\" parsing for PASEMI Nemo", " - wifi: cfg80211: wext: set ssids=NULL for passive scans", " - wifi: mac80211: disable softirqs for queued frame handling", " - wifi: iwlwifi: mvm: don't wake up rx_sync_waitq upon RFKILL", " - cachefiles: fix slab-use-after-free in fscache_withdraw_volume()", " - cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()", " - btrfs: ensure fast fsync waits for ordered extents after a write failure", " - PNP: Hide pnp_bus_type from the non-PNP code", " - ACPI: AC: Properly notify powermanagement core about changes", " - selftests/overlayfs: Fix build error on ppc64", " - nvme-fabrics: use reserved tag for reg read/write command", " - LoongArch: Fix GMAC's phy-mode definitions in dts", " - io_uring: fix possible deadlock in io_register_iowq_max_workers()", " - vfio: Create vfio_fs_type with inode per device", " - vfio/pci: Use unmap_mapping_range()", " - parport: amiga: Mark driver struct with __refdata to prevent section", " mismatch", " - drm: renesas: shmobile: Call drm_atomic_helper_shutdown() at shutdown time", " - vfio/pci: Insert full vma on mmap'd MMIO fault", " - ALSA: hda: cs35l41: Support Lenovo Thinkbook 16P Gen 5", " - ALSA: hda: cs35l41: Support Lenovo Thinkbook 13x Gen 4", " - ALSA: hda/realtek: Support Lenovo Thinkbook 13x Gen 4", " - wifi: mac80211: Avoid address calculations via out of bounds array indexing", " - drm/amd/display: change dram_clock_latency to 34us for dcn35", " - closures: Change BUG_ON() to WARN_ON()", " - ASoC: codecs: ES8326: Solve headphone detection issue", " - ASoC: Intel: avs: Fix route override", " - net: mvpp2: fill-in dev_port attribute", " - btrfs: scrub: handle RST lookup error correctly", " - clk: qcom: apss-ipq-pll: remove 'config_ctl_hi_val' from Stromer pll configs", " - drm/amd/display: Update efficiency bandwidth for dcn351", " - drm/amd/display: Fix array-index-out-of-bounds in dml2/FCLKChangeSupport", " - btrfs: fix uninitialized return value in the ref-verify tool", " - spi: davinci: Unset POWERDOWN bit when releasing resources", " - mm: page_ref: remove folio_try_get_rcu()", " - ALSA: hda: cs35l41: Fix swapped l/r audio channels for Lenovo ThinBook 13x", " Gen4", " - netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume()", " - Upstream stable to v6.6.42, v6.9.11", " * CVE-2024-27022", " - Revert \"Revert \"fork: defer linking file vma until vma is fully", " initialized\"\"", " * UBSAN: array-index-out-of-bounds in /build/linux-Z1RxaK/linux-", " 6.8.0/drivers/gpu/drm/amd/amdgpu/../pm/powerplay/hwmgr/processpptables.c:124", " 9:61 (LP: #2078041)", " - drm/amdgpu/pptable: convert some variable sized arrays to [] style", " - drm/amdgpu: convert some variable sized arrays to [] style", " - drm/amdgpu/pptable: Fix UBSAN array-index-out-of-bounds", " * alsa: Headphone and Speaker couldn't output sound intermittently", " (LP: #2077690)", " - ALSA: hda/realtek - Fixed ALC256 headphone no sound", " - ALSA: hda/realtek - FIxed ALC285 headphone no sound", " * Fix ethernet performance on JSL and EHL (LP: #2077858)", " - intel_idle: Disable promotion to C1E on Jasper Lake and Elkhart Lake", " * Noble update: upstream stable patchset 2024-08-29 (LP: #2078289)", " - Revert \"usb: xhci: prevent potential failure in handle_tx_event() for", " Transfer events without TRB\"", " - Compiler Attributes: Add __uninitialized macro", " - mm: prevent derefencing NULL ptr in pfn_section_valid()", " - scsi: ufs: core: Fix ufshcd_clear_cmd racing issue", " - scsi: ufs: core: Fix ufshcd_abort_one racing issue", " - vfio/pci: Init the count variable in collecting hot-reset devices", " - cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop", " - cachefiles: stop sending new request when dropping object", " - cachefiles: cancel all requests for the object that is being dropped", " - cachefiles: wait for ondemand_object_worker to finish when dropping object", " - cachefiles: cyclic allocation of msg_id to avoid reuse", " - cachefiles: add missing lock protection when polling", " - dsa: lan9303: Fix mapping between DSA port number and PHY address", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - net: bcmasp: Fix error code in probe()", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - bpf: Fix too early release of tcx_entry", " - net: phy: microchip: lan87xx: reinit PHY after cable test", " - skmsg: Skip zero length skb in sk_msg_recvmsg", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: fix rc7's __skb_datagram_iter()", " - i40e: Fix XDP program unloading while removing the driver", " - net: ethernet: lantiq_etop: fix double free in detach", " - bpf: fix order of args in call to bpf_map_kvcalloc", " - bpf: make timer data struct more generic", " - bpf: replace bpf_timer_init with a generic helper", " - bpf: Fail bpf_timer_cancel when callback is being cancelled", " - net: ethernet: mtk-star-emac: set mac_managed_pm when probing", " - ppp: reject claimed-as-LCP but actually malformed packets", " - ethtool: netlink: do not return SQI value if link is down", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - net, sunrpc: Remap EPERM in case of connection failure in", " xs_tcp_setup_socket", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - arm64: dts: qcom: sc8180x: Fix LLCC reg property again", " - firmware: cs_dsp: Fix overflow checking of wmfw header", " - firmware: cs_dsp: Return error if block header overflows file", " - firmware: cs_dsp: Validate payload length before processing block", " - firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers", " - ASoC: SOF: Intel: hda: fix null deref on system suspend entry", " - firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: replace cpt slot with lf id on reg write", " - octeontx2-af: fix a issue with cpt_lf_alloc mailbox", " - octeontx2-af: fix detection of IP layer", " - octeontx2-af: fix issue with IPv6 ext match for RSS", " - octeontx2-af: fix issue with IPv4 match for RSS", " - cifs: fix setting SecurityFlags to true", " - Revert \"sched/fair: Make sure to try to detach at least one movable task\"", " - tcp: avoid too many retransmit packets", " - net: ks8851: Fix deadlock with the SPI chip variant", " - net: ks8851: Fix potential TX stall after interface reopen", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: serial: mos7840: fix crash on resume", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: dwc3: pci: add support for the Intel Panther Lake", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - misc: microchip: pci1xxxx: Fix return value of nvmem callbacks", " - hpet: Support 32-bit userspace", " - xhci: always resume roothubs if xHC was reset during resume", " - s390/mm: Add NULL pointer check to crst_table_free() base_crst_free()", " - mm: vmalloc: check if a hash-index is in cpu_possible_mask", " - mm/filemap: skip to create PMD-sized page cache if needed", " - mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray", " - ksmbd: discard write access to the directory open", " - iio: trigger: Fix condition for own trigger", " - arm64: dts: qcom: sa8775p: Correct IRQ number of EL2 non-secure physical", " timer", " - arm64: dts: qcom: sc8280xp-x13s: fix touchscreen power on", " - nvmem: rmem: Fix return value of rmem_read()", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - nvmem: core: only change name to fram for current attribute", " - platform/x86: toshiba_acpi: Fix array out-of-bounds access", " - tty: serial: ma35d1: Add a NULL check for of_node", " - ALSA: hda/realtek: add quirk for Clevo V5[46]0TU", " - ALSA: hda/realtek: Enable Mute LED on HP 250 G7", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - Fix userfaultfd_api to return EINVAL as expected", " - pmdomain: qcom: rpmhpd: Skip retention level for Power Domains", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency", " - cpufreq: ACPI: Mark boost policy as enabled when setting boost", " - cpufreq: Allow drivers to advertise boost enabled", " - wireguard: selftests: use acpi=off instead of -no-acpi for recent QEMU", " - wireguard: allowedips: avoid unaligned 64-bit memory accesses", " - wireguard: queueing: annotate intentional data race in cpu round robin", " - wireguard: send: annotate intentional data race in checking empty queue", " - misc: fastrpc: Fix DSP capabilities request", " - misc: fastrpc: Avoid updating PD type for capability request", " - misc: fastrpc: Copy the complete capability structure to user", " - misc: fastrpc: Fix memory leak in audio daemon attach operation", " - misc: fastrpc: Fix ownership reassignment of remote heap", " - misc: fastrpc: Restrict untrusted app to attach to privileged PD", " - mm/shmem: disable PMD-sized page cache if needed", " - mm/damon/core: merge regions aggressively when max_nr_regions is unmet", " - selftests/net: fix gro.c compilation failure due to non-existent", " opt_ipproto_off", " - ext4: avoid ptr null pointer dereference", " - sched: Move psi_account_irqtime() out of update_rq_clock_task() hotpath", " - i2c: rcar: bring hardware to known state when probing", " - i2c: mark HostNotify target address as used", " - i2c: rcar: ensure Gen3+ reset does not disturb local targets", " - i2c: testunit: avoid re-issued work after read message", " - i2c: rcar: clear NO_RXDMA flag after resetting", " - x86/bhi: Avoid warning in #DB handler due to BHI mitigation", " - kbuild: Make ld-version.sh more robust against version string changes", " - spi: axi-spi-engine: fix sleep calculation", " - minixfs: Fix minixfs_rename with HIGHMEM", " - bpf: Defer work in bpf_timer_cancel_and_free", " - netfilter: nf_tables: prefer nft_chain_validate", " - arm64: dts: qcom: x1e80100-*: Allocate some CMA buffers", " - arm64: dts: qcom: sm6115: add iommu for sdhc_1", " - arm64: dts: qcom: qdu1000: Fix LLCC reg property", " - net: ethtool: Fix RSS setting", " - nilfs2: fix kernel bug on rename operation of broken directory", " - cachestat: do not flush stats in recency check", " - mm: fix crashes from deferred split racing folio migration", " - nvmem: core: limit cell sysfs permissions to main attribute ones", " - serial: imx: ensure RTS signal is not left active after shutdown", " - mmc: sdhci: Fix max_seg_size for 64KiB PAGE_SIZE", " - mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length", " - mm/readahead: limit page cache size in page_cache_ra_order()", " - Revert \"dt-bindings: cache: qcom,llcc: correct QDU1000 reg entries\"", " - sched/deadline: Fix task_struct reference leak", " - Upstream stable to v6.6.40, v6.6.41, v6.9.10", " * [SRU][HPE 24.04] Intel FVL NIC FW flash fails with inbox driver, causing", " driver not detected (LP: #2076675) // Noble update: upstream stable patchset", " 2024-08-29 (LP: #2078289)", " - i40e: fix: remove needless retries of NVM update", " * CVE-2024-41022", " - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()", " * Deadlock occurs while suspending md raid (LP: #2073695)", " - md: change the return value type of md_write_start to void", " - md: fix deadlock between mddev_suspend and flush bio", " * Lenovo X12 Detachable Gen 2 unresponsive under light load (LP: #2076361)", " - drm/i915: Enable Wa_16019325821", " - drm/i915/guc: Add support for w/a KLVs", " - drm/i915/guc: Enable Wa_14019159160", " * Regression: unable to reach low idle states on Tiger Lake (LP: #2072679)", " - SAUCE: PCI: ASPM: Allow OS to configure ASPM where BIOS is incapable of", " - SAUCE: PCI: vmd: Let OS control ASPM for devices under VMD domain", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600)", " - locking/mutex: Introduce devm_mutex_init()", " - leds: an30259a: Use devm_mutex_init() for mutex initialization", " - crypto: hisilicon/debugfs - Fix debugfs uninit process issue", " - drm/lima: fix shared irq handling on driver remove", " - powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - selftests/bpf: adjust dummy_st_ops_success to detect additional error", " - selftests/bpf: do not pass NULL for non-nullable params in dummy_st_ops", " - selftests/bpf: dummy_st_ops should reject 0 for non-nullable params", " - RISC-V: KVM: Fix the initial sample period value", " - crypto: aead,cipher - zeroize key buffer after use", " - media: mediatek: vcodec: Only free buffer VA that is not NULL", " - drm/amdgpu: Fix uninitialized variable warnings", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Check index msg_id before read or write", " - drm/amd/display: Check pipe offset before setting vblank", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - drm/amd/display: Fix uninitialized variables in DM", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amdgpu: fix the warning about the expression (int)size - len", " - media: dw2102: Don't translate i2c read into write", " - riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - wifi: mt76: replace skb_put with skb_put_zero", " - wifi: mt76: mt7996: add sanity checks for background radar trigger", " - thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - kunit: Fix timeout message", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - selftests/net: fix uninitialized variables", " - igc: fix a log entry using uninitialized netdev", " - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD", " - serial: imx: Raise TX trigger level to 8", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation", " warning", " - cdrom: rearrange last_media_change check to avoid unintentional overflow", " - tools/power turbostat: Remember global max_die_id", " - vhost: Use virtqueue mutex for swapping worker", " - vhost: Release worker mutex during flushes", " - vhost_task: Handle SIGKILL by flushing work and exiting", " - mac802154: fix time calculation in ieee802154_configure_durations()", " - net: phy: phy_device: Fix PHY LED blinking code comment", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - net/mlx5: E-switch, Create ingress ACL when needed", " - net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup()", " - Bluetooth: hci_event: Fix setting of unicast qos interval", " - Bluetooth: Ignore too large handle values in BIG", " - Bluetooth: ISO: Check socket flag instead of hcon", " - bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX", " - KVM: s390: fix LPSWEY handling", " - e1000e: Fix S0ix residency on corporate systems", " - gpiolib: of: fix lookup quirk for MIPS Lantiq", " - net: allow skb_datagram_iter to be called from any context", " - net: txgbe: initialize num_q_vectors for MSI/INTx interrupts", " - net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from", " __netif_rx()", " - gpio: mmio: do not calculate bgpio_bits via \"ngpios\"", " - wifi: wilc1000: fix ies_len type in connect path", " - riscv: kexec: Avoid deadlock in kexec crash path", " - netfilter: nf_tables: unconditionally flush pending work before notifier", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI", " file", " - gpiolib: of: add polarity quirk for TSC2005", " - cpu: Fix broken cmdline \"nosmp\" and \"maxcpus=0\"", " - platform/x86: toshiba_acpi: Fix quickstart quirk handling", " - Revert \"igc: fix a log entry using uninitialized netdev\"", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - mm: avoid overflows in dirty throttling logic", " - btrfs: fix adding block group to a reclaim list and the unused list during", " reclaim", " - scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add()", " - Bluetooth: hci_bcm4377: Fix msgid release", " - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - drm: panel-orientation-quirks: Add quirk for Valve Galileo", " - clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag", " - clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common", " - powerpc/pseries: Fix scv instruction crash with kexec", " - powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0", " - mtd: rawnand: Ensure ECC configuration is propagated to upper layers", " - mtd: rawnand: Fix the nand_read_data_op() early check", " - mtd: rawnand: Bypass a couple of sanity checks during NAND identification", " - mtd: rawnand: rockchip: ensure NVDDR timings are rejected", " - net: stmmac: dwmac-qcom-ethqos: fix error array size", " - arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B", " - media: dw2102: fix a potential buffer overflow", " - clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents", " - clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs", " - clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - fs/ntfs3: Mark volume as dirty if xattr is broken", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - vhost-scsi: Handle vhost_vq_work_queue failures for events", " - nvme-multipath: find NUMA path only for online numa-node", " - dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails", " - connector: Fix invalid conversion in cn_proc.h", " - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset", " - regmap-i2c: Subtract reg size from max_write", " - platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6\"", " tablet", " - platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro", " - nvmet: fix a possible leak when destroy a ctrl during qp establishment", " - kbuild: fix short log for AS in link-vmlinux.sh", " - nfc/nci: Add the inconsistency check between the input data length and count", " - spi: cadence: Ensure data lines set to low during dummy-cycle period", " - ALSA: ump: Set default protocol when not given explicitly", " - drm/amdgpu: silence UBSAN warning", " - null_blk: Do not allow runt zone with zone capacity smaller then zone size", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - leds: mlxreg: Use devm_mutex_init() for mutex initialization", " - net: dql: Avoid calling BUG() when WARN() is enough", " - drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf", " - bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable", " - drm/amdgpu: fix double free err_addr pointer warnings", " - drm/amd/display: Fix overlapping copy within dml_core_mode_programming", " - drm/amd/display: update pipe topology log to support subvp", " - drm/amd/display: Do not return negative stream id for array", " - drm/amd/display: ASSERT when failing to find index by plane/stream id", " - usb: xhci: prevent potential failure in handle_tx_event() for Transfer", " events without TRB", " - media: i2c: st-mipid02: Use the correct div function", " - media: tc358746: Use the correct div_ function", " - crypto: hisilicon/sec2 - fix for register offset", " - s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings", " - s390/pkey: Wipe copies of clear-key structures on failure", " - s390/pkey: Wipe copies of protected- and secure-keys", " - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values", " - wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP", " - net: txgbe: remove separate irq request for MSI and INTx", " - net: txgbe: add extra handle for MSI/INTx into thread irq handle", " - net: txgbe: free isb resources at the right time", " - btrfs: always do the basic checks for btrfs_qgroup_inherit structure", " - net: phy: aquantia: add missing include guards", " - drm/fbdev-generic: Fix framebuffer on big endian devices", " - net: stmmac: enable HW-accelerated VLAN stripping for gmac4 only", " - net: rswitch: Avoid use-after-free in rswitch_poll()", " - ice: use proper macro for testing bit", " - drm/xe/mcr: Avoid clobbering DSS steering", " - tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO.", " - btrfs: zoned: fix calc_available_free_space() for zoned mode", " - btrfs: fix folio refcount in __alloc_dummy_extent_buffer()", " - Bluetooth: Add quirk to ignore reserved PHY bits in LE Extended Adv Report", " - drm/xe: fix error handling in xe_migrate_update_pgtables", " - drm/ttm: Always take the bo delayed cleanup path for imported bos", " - fs: don't misleadingly warn during thaw operations", " - drm/amdkfd: Let VRAM allocations go to GTT domain on small APUs", " - drm/amdgpu: correct hbm field in boot status", " - Upstream stable to v6.6.38, v6.6.39, v6.9.9", " * Panels show garbage or flickering when i915.psr2 enabled (LP: #2069993)", " - SAUCE: drm/i915/display/psr: add a psr2 disable quirk table", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x4d_0x10_0x93_0x15", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x8b_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x78_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x30_0xe4_0x8c_0x07", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x06_0xaf_0x9a_0xf9", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x4d_0x10_0x8f_0x15", " - SAUCE: drm/i915/display/psr: disable psr2 for panel_0x06_0xaf_0xa3_0xc3", " * Random flickering with Intel i915 (Gen9 GPUs in 6th-8th gen CPUs) on Linux", " 6.8 (LP: #2062951)", " - SAUCE: iommu/intel: disable DMAR for SKL integrated gfx", " * [SRU][22.04.5]: mpi3mr driver update (LP: #2073583)", " - scsi: mpi3mr: HDB allocation and posting for hardware and firmware buffers", " - scsi: mpi3mr: Trigger support", " - scsi: mpi3mr: Add ioctl support for HDB", " - scsi: mpi3mr: Support PCI Error Recovery callback handlers", " - scsi: mpi3mr: Prevent PCI writes from driver during PCI error recovery", " - scsi: mpi3mr: Driver version update", " * Fix power consumption while using HW accelerated video decode on AMD", " platforms (LP: #2073282)", " - drm/amdgpu/vcn: identify unified queue in sw init", " - drm/amdgpu/vcn: not pause dpg for unified queue", " * Noble update: upstream stable patchset 2024-08-09 (LP: #2076435)", " - usb: typec: ucsi: Never send a lone connector change ack", " - usb: typec: ucsi: Ack also failed Get Error commands", " - Input: ili210x - fix ili251x_read_touch_data() return value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: use dedicated pinctrl type for RK3328", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - MIPS: pci: lantiq: restore reset gpio polarity", " - ASoC: rockchip: i2s-tdm: Fix trcm mode by setting clock on right mclk", " - ASoC: mediatek: mt8183-da7219-max98357: Fix kcontrol name collision", " - ASoC: atmel: atmel-classd: Re-add dai_link->platform to fix card init", " - workqueue: Increase worker desc's length to 32", " - ASoC: q6apm-lpass-dai: close graph on prepare errors", " - bpf: Add missed var_off setting in set_sext32_default_val()", " - bpf: Add missed var_off setting in coerce_subreg_to_size_sx()", " - s390/pci: Add missing virt_to_phys() for directed DIBV", " - ASoC: amd: acp: add a null check for chip_pdev structure", " - ASoC: amd: acp: remove i2s configuration check in acp_i2s_probe()", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - openvswitch: get related ct labels from its master if it is not confirmed", " - mlxsw: spectrum_buffers: Fix memory corruptions on Spectrum-4 systems", " - ibmvnic: Free any outstanding tx skbs during scrq reset", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - net: dsa: microchip: use collision based back pressure mode", " - ice: Rebuild TC queues on VSI queue reconfiguration", " - xdp: Remove WARN() from __xdp_reg_mem_model()", " - netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when", " CONFIG_SYSCTL=n", " - btrfs: use NOFS context when getting inodes during logging and log replay", " - Fix race for duplicate reqsk on identical SYN", " - ALSA: seq: Fix missing channel at encoding RPN/NRPN MIDI2 messages", " - net: dsa: microchip: fix wrong register write when masking interrupt", " - sparc: fix old compat_sys_select()", " - sparc: fix compat recv/recvfrom syscalls", " - parisc: use correct compat recv/recvfrom syscalls", " - powerpc: restore some missing spu syscalls", " - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO", " - ALSA: seq: Fix missing MSB in MIDI2 SPP conversion", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - net: mana: Fix possible double free in error handling path", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - vduse: validate block features only with block devices", " - vduse: Temporarily fail if control queue feature requested", " - x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - wifi: ieee80211: check for NULL in ieee80211_mle_size_ok()", " - bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter mode", " - RDMA/restrack: Fix potential invalid address access", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - crypto: ecdh - explicitly zeroize private_key", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - irqchip/loongson: Select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP for", " IRQ_LOONGARCH_CPU", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - gfs2: Fix NULL pointer dereference in gfs2_log_flush", " - drm/radeon/radeon_display: Decrease the size of allocated memory", " - nvme: fixup comment for nvme RDMA Provider Type", " - drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA", " - gpio: davinci: Validate the obtained number of IRQs", " - RISC-V: fix vector insn load/store width mask", " - drm/amdgpu: Fix pci state save during mode-1 reset", " - riscv: stacktrace: convert arch_stack_walk() to noinstr", " - gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)", " - randomize_kstack: Remove non-functional per-arch entropy filtering", " - x86: stop playing stack games in profile_pc()", " - parisc: use generic sys_fanotify_mark implementation", " - Revert \"MIPS: pci: lantiq: restore reset gpio polarity\"", " - pinctrl: qcom: spmi-gpio: drop broken pm8008 support", " - ocfs2: fix DIO failure due to insufficient transaction credits", " - nfs: drop the incorrect assertion in nfs_swap_rw()", " - mm: fix incorrect vbq reference in purge_fragmented_block", " - mmc: sdhci-pci-o2micro: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci-brcmstb: check R1_STATUS for erase/trim/discard", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - iio: xilinx-ams: Don't include ams_ctrl_channels in scan_mask", " - counter: ti-eqep: enable clock at probe", " - kbuild: doc: Update default INSTALL_MOD_DIR from extra to updates", " - kbuild: Fix build target deb-pkg: ln: failed to create hard link", " - i2c: testunit: don't erase registers after STOP", " - i2c: testunit: discard write requests while old command is running", " - ata: libata-core: Fix null pointer dereference on error", " - ata,scsi: libata-core: Do not leak memory for ata_port struct members", " - iio: adc: ad7266: Fix variable checking bug", " - iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: gadget: printer: fix races against disable", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to", " avoid deadlock", " - usb: gadget: aspeed_udc: fix device address configuration", " - usb: typec: ucsi: glink: fix child node release in probe function", " - usb: ucsi: stm32: fix command completion handling", " - usb: dwc3: core: Add DWC31 version 2.00a controller", " - usb: dwc3: core: Workaround for CSR read timeout", " - Revert \"serial: core: only stop transmit when HW fifo is empty\"", " - serial: 8250_omap: Implementation of Errata i2310", " - serial: imx: set receiver level before starting uart", " - serial: core: introduce uart_port_tx_limited_flags()", " - serial: bcm63xx-uart: fix tx after conversion to uart_port_tx_limited()", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - PCI/MSI: Fix UAF in msi_capability_init", " - cpufreq: intel_pstate: Use HWP to initialize ITMT if CPPC is missing", " - irqchip/loongson-eiointc: Use early_cpu_to_node() instead of cpu_to_node()", " - cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()", " - irqchip/loongson-liointc: Set different ISRs for different cores", " - kbuild: Install dtb files as 0644 in Makefile.dtbinst", " - sh: rework sync_file_range ABI", " - btrfs: zoned: fix initial free space detection", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/drm_file: Fix pid refcounting race", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/fbdev-dma: Only set smem_start is enable per module option", " - drm/amdgpu: avoid using null object of framebuffer", " - drm/i915/gt: Fix potential UAF by revoke of fence registers", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - drm/amd/display: Send DP_TOTAL_LTTPR_CNT during detection if LTTPR is", " present", " - drm/amdgpu/atomfirmware: fix parsing of vram_info", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - can: mcp251xfd: fix infinite loop when xmit fails", " - ata: ahci: Clean up sysfs file on error", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - syscalls: fix compat_sys_io_pgetevents_time64 usage", " - syscalls: fix sys_fanotify_mark prototype", " - Revert \"cpufreq: amd-pstate: Fix the inconsistency in max frequency units\"", " - mm/page_alloc: Separate THP PCP into movable and non-movable categories", " - arm64: dts: rockchip: Fix SD NAND and eMMC init on rk3308-rock-pi-s", " - arm64: dts: rockchip: Rename LED related pinctrl nodes on rk3308-rock-pi-s", " - arm64: dts: rockchip: Fix the value of `dlg,jack-det-rate` mismatch on", " rk3399-gru", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: make poweroff(8) work on Radxa ROCK 5A", " - arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - cxl/region: Move cxl_dpa_to_region() work to the region driver", " - cxl/region: Avoid null pointer dereference in region lookup", " - cxl/region: check interleave capability", " - serial: imx: only set receiver level if it is zero", " - serial: 8250_omap: Fix Errata i2310 with RX FIFO level check", " - tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()", " - pwm: stm32: Improve precision of calculation in .apply()", " - pwm: stm32: Fix for settings using period > UINT32_MAX", " - pwm: stm32: Calculate prescaler with a division instead of a loop", " - pwm: stm32: Refuse too small period requests", " - ASoC: cs42l43: Increase default type detect time and button delay", " - ASoC: amd: acp: move chip->flag variable assignment", " - bonding: fix incorrect software timestamping report", " - mlxsw: pci: Fix driver initialization with Spectrum-4", " - vxlan: Pull inner IP header in vxlan_xmit_one().", " - ASoC: mediatek: mt8195: Add platform entry for ETDM1_OUT_BE dai link", " - af_unix: Stop recv(MSG_PEEK) at consumed OOB skb.", " - af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head.", " - af_unix: Don't stop recv() at consumed ex-OOB skb.", " - af_unix: Fix wrong ioctl(SIOCATMARK) when consumed OOB skb is at the head.", " - bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()", " - bpf: Take return from set_memory_rox() into account with", " bpf_jit_binary_lock_ro()", " - drm/xe: Fix potential integer overflow in page size calculation", " - drm/xe: Add a NULL check in xe_ttm_stolen_mgr_init", " - drm/amd/display: correct hostvm flag", " - drm/amd/display: Skip pipe if the pipe idx not set properly", " - bpf: Add a check for struct bpf_fib_lookup size", " - drm/xe/xe_devcoredump: Check NULL before assignments", " - iommu/arm-smmu-v3: Do not allow a SVA domain to be set on the wrong PASID", " - evm: Enforce signatures on unsupported filesystem for EVM_INIT_X509", " - drm/xe: Check pat.ops before dumping PAT settings", " - nvmet: do not return 'reserved' for empty TSAS values", " - nvmet: make 'tsas' attribute idempotent for RDMA", " - iommu/amd: Fix GT feature enablement again", " - gpiolib: cdev: Ignore reconfiguration without direction", " - kasan: fix bad call to unpoison_slab_object", " - mm/memory: don't require head page for do_set_pmd()", " - SUNRPC: Fix backchannel reply, again", " - Revert \"usb: gadget: u_ether: Re-attach netif device to mirror detachment\"", " - Revert \"usb: gadget: u_ether: Replace netif_stop_queue with", " netif_device_detach\"", " - tty: serial: 8250: Fix port count mismatch with the device", " - tty: mxser: Remove __counted_by from mxser_board.ports[]", " - nvmet-fc: Remove __counted_by from nvmet_fc_tgt_queue.fod[]", " - ata: libata-core: Add ATA_HORKAGE_NOLPM for all Crucial BX SSD1 models", " - bcachefs: Fix sb_field_downgrade validation", " - bcachefs: Fix sb-downgrade validation", " - bcachefs: Fix bch2_sb_downgrade_update()", " - bcachefs: Fix setting of downgrade recovery passes/errors", " - bcachefs: btree_gc can now handle unknown btrees", " - pwm: stm32: Fix calculation of prescaler", " - pwm: stm32: Fix error message to not describe the previous error path", " - cxl/region: Convert cxl_pmem_region_alloc to scope-based resource management", " - cxl/mem: Fix no cxl_nvd during pmem region auto-assembling", " - arm64: dts: rockchip: Fix the i2c address of es8316 on Cool Pi 4B", " - netfs: Fix netfs_page_mkwrite() to check folio->mapping is valid", " - netfs: Fix netfs_page_mkwrite() to flush conflicting data, not wait", " - Upstream stable to v6.6.37, v6.9.8", " * [UBUNTU 22.04] s390/cpum_cf: make crypto counters upward compatible", " (LP: #2074380)", " - s390/cpum_cf: make crypto counters upward compatible across machine types", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-48.48.1~22.04.2", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2082433, 2082434, 2074082, 2082437, 2077470, 2078834, 2077729, 2076866, 2076147, 2070329, 2076406, 2076190, 2077321, 2076402, 2077396, 2060039, 2079945, 2078304, 2078041, 2077690, 2077858, 2078289, 2076675, 2078289, 2073695, 2076361, 2072679, 2077600, 2069993, 2062951, 2073583, 2073282, 2076435, 2074380 ], "author": "Emil Renner Berthing ", "date": "Wed, 16 Oct 2024 20:35:45 +0200" }, { "cves": [ { "cve": "CVE-2024-45016", "url": "https://ubuntu.com/security/CVE-2024-45016", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a (\"net: netem: fix skb length BUG_ON in __skb_to_sgvec\") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.", "cve_priority": "medium", "cve_public_date": "2024-09-11 16:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-47.47.1~22.04.1 -proposed tracker", " (LP: #2082114)", "", " [ Ubuntu: 6.8.0-47.47.1 ]", "", " * noble/linux-riscv: 6.8.0-47.47.1 -proposed tracker (LP: #2082115)", " [ Ubuntu: 6.8.0-47.47 ]", " * noble/linux: 6.8.0-47.47 -proposed tracker (LP: #2082118)", " * CVE-2024-45016", " - netem: fix return value if duplicate enqueue fails", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-47.47.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2082114, 2082115, 2082118 ], "author": "Emil Renner Berthing ", "date": "Wed, 09 Oct 2024 17:06:48 +0200" }, { "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42224", "url": "https://ubuntu.com/security/CVE-2024-42224", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Correct check for empty list Since commit a3c53be55c95 (\"net: dsa: mv88e6xxx: Support multiple MDIO busses\") mv88e6xxx_default_mdio_bus() has checked that the return value of list_first_entry() is non-NULL. This appears to be intended to guard against the list chip->mdios being empty. However, it is not the correct check as the implementation of list_first_entry is not designed to return NULL for empty lists. Instead, use list_first_entry_or_null() which does return NULL if the list is empty. Flagged by Smatch. Compile tested only.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42154", "url": "https://ubuntu.com/security/CVE-2024-42154", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-42159", "url": "https://ubuntu.com/security/CVE-2024-42159", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Sanitise num_phys Information is stored in mr_sas_port->phy_mask, values larger then size of this field shouldn't be allowed.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" } ], "log": [ "", " * jammy/linux-riscv-6.8: 6.8.0-45.45.1~22.04.1 -proposed tracker", " (LP: #2078096)", "", " [ Ubuntu: 6.8.0-45.45.1 ]", "", " * noble/linux-riscv: 6.8.0-45.45.1 -proposed tracker (LP: #2078097)", " [ Ubuntu: 6.8.0-45.45 ]", " * noble/linux: 6.8.0-45.45 -proposed tracker (LP: #2078100)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/s2024.08.05)", " * Noble update: upstream stable patchset 2024-08-09 (LP: #2076435) //", " CVE-2024-41009", " - bpf: Fix overrunning reservations in ringbuf", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600) //", " CVE-2024-42224", " - net: dsa: mv88e6xxx: Correct check for empty list", " * Noble update: upstream stable patchset 2024-08-22 (LP: #2077600) //", " CVE-2024-42154", " - tcp_metrics: validate source addr length", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", " * CVE-2024-42159", " - scsi: mpi3mr: Sanitise num_phys", "" ], "package": "linux-riscv-6.8", "version": "6.8.0-45.45.1~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078096, 2078097, 2078100, 1786013, 2076435, 2077600, 2077600 ], "author": "Roxana Nicolescu ", "date": "Mon, 02 Sep 2024 11:50:42 +0200" } ], "notes": "linux-riscv-6.8-headers-6.8.0-49 version '6.8.0-49.49.1~22.04.1' (source package linux-riscv-6.8 version '6.8.0-49.49.1~22.04.1') was added. linux-riscv-6.8-headers-6.8.0-49 version '6.8.0-49.49.1~22.04.1' has the same source package name, linux-riscv-6.8, as removed package linux-headers-6.8.0-44-generic. As such we can use the source package version of the removed package, '6.8.0-44.44.1~22.04.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "python3-packaging", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "python-packaging", "source_package_version": "21.3-1", "version": "21.3-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version.", "" ], "package": "python-packaging", "version": "21.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 27 Nov 2021 09:14:41 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", "" ], "package": "python-packaging", "version": "21.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 17 Nov 2021 17:51:57 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", " * New standards version.", "" ], "package": "python-packaging", "version": "21.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 11 Oct 2021 14:28:40 +0200" } ], "notes": "For a newly added package only the three most recent changelog entries are shown." }, { "name": "u-boot-menu", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "u-boot-menu", "source_package_version": "4.0.4ubuntu1", "version": "4.0.4ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 1959241 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes (LP: #1959241):", " - Make default U_BOOT_PARAMETERS to be \"ro earlycon\".", " - Support device-tree/ sub-directory for device-trees. ", "" ], "package": "u-boot-menu", "version": "4.0.4ubuntu1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1959241 ], "author": "Heinrich Schuchardt ", "date": "Mon, 24 Jan 2022 17:01:33 +0100" }, { "cves": [], "log": [ "", " * taking over as maintainer;", " thanks for your past contributions, Riku Voipio;", " closes: bug#1001568, thanks to Mattia Rizzolo", " * declare compliance with Debian Policy 4.6.0", " * update copyright info:", " + update coverage", " + list Salsa (not Github) for upstream source and preferred contact URIs", "" ], "package": "u-boot-menu", "version": "4.0.4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jonas Smedegaard ", "date": "Tue, 14 Dec 2021 13:38:06 +0100" }, { "cves": [], "log": [ "", " * Fix up merge conflicts in the previous upload.", "" ], "package": "u-boot-menu", "version": "4.0.3ubuntu2", "urgency": "medium", "distributions": "impish", "launchpad_bugs_fixed": [], "author": "Dimitri John Ledkov ", "date": "Fri, 07 May 2021 11:10:18 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.8.0-44-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-44.44.1~22.04.1", "version": "6.8.0-44.44.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-6.8.0-44-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-44.44.1~22.04.1", "version": "6.8.0-44.44.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-6.8.0-44-generic", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-44.44.1~22.04.1", "version": "6.8.0-44.44.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-riscv-6.8-headers-6.8.0-44", "from_version": { "source_package_name": "linux-riscv-6.8", "source_package_version": "6.8.0-44.44.1~22.04.1", "version": "6.8.0-44.44.1~22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.1", "version": "0.107.1-3ubuntu0.22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.107.1-3ubuntu0.22.04.1", "version": "0.107.1-3ubuntu0.22.04.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20241004 to 20241206", "from_series": "jammy", "to_series": "jammy", "from_serial": "20241004", "to_serial": "20241206", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }