{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-6.8.0-51-generic", "linux-image-6.8.0-51-generic", "linux-modules-6.8.0-51-generic", "linux-riscv-headers-6.8.0-51" ], "removed": [ "linux-headers-6.8.0-49-generic", "linux-image-6.8.0-49-generic", "linux-modules-6.8.0-49-generic", "linux-riscv-headers-6.8.0-49" ], "diff": [ "apport", "apport-core-dump-handler", "bind9-dnsutils", "bind9-host", "bind9-libs:riscv64", "cloud-init", "curl", "dmidecode", "fwupd", "gir1.2-packagekitglib-1.0", "libcurl3t64-gnutls:riscv64", "libcurl4t64:riscv64", "libexpat1:riscv64", "libfwupd2:riscv64", "libgstreamer1.0-0:riscv64", "libmodule-scandeps-perl", "libopeniscsiusr", "libpackagekit-glib2-18:riscv64", "libpython3.12-minimal:riscv64", "libpython3.12-stdlib:riscv64", "libpython3.12t64:riscv64", "libudisks2-0:riscv64", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "needrestart", "open-iscsi", "packagekit", "packagekit-tools", "python3-apport", "python3-problem-report", "python3-software-properties", "python3.12", "python3.12-minimal", "snapd", "software-properties-common", "sosreport", "ssh-import-id", "udisks2", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.1", "version": "2.28.1-0ubuntu3.1" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.3", "version": "2.28.1-0ubuntu3.3" }, "cves": [], "launchpad_bugs_fixed": [ 2078634, 2073935, 2078695, 1537310, 2073933, 2076186 ], "changes": [ { "cves": [], "log": [ "", " * Depend on gdb-multiarch and python3-psutil for system tests", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 26 Oct 2024 13:50:11 +0200" }, { "cves": [], "log": [ "", " * Remove obsolete apport init.d and bash-completion conffiles (LP: #2078634)", " * recent-syslog: read stdout after process completion (LP: #2073935)", " * package_hook: Handle failures of removed packages (LP: #2078695)", " * Fix hang when cancelling/closing Apport (LP: #1537310)", " * tests:", " - fix wait_for_gdb_sleeping_child_process (LP: #2073933)", " - fix flaky tests waiting for sleep command (LP: #2076186)", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2078634, 2073935, 2078695, 1537310, 2073933, 2076186 ], "author": "Benjamin Drung ", "date": "Fri, 04 Oct 2024 14:50:27 +0200" } ], "notes": null }, { "name": "apport-core-dump-handler", "from_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.1", "version": "2.28.1-0ubuntu3.1" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.3", "version": "2.28.1-0ubuntu3.3" }, "cves": [], "launchpad_bugs_fixed": [ 2078634, 2073935, 2078695, 1537310, 2073933, 2076186 ], "changes": [ { "cves": [], "log": [ "", " * Depend on gdb-multiarch and python3-psutil for system tests", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 26 Oct 2024 13:50:11 +0200" }, { "cves": [], "log": [ "", " * Remove obsolete apport init.d and bash-completion conffiles (LP: #2078634)", " * recent-syslog: read stdout after process completion (LP: #2073935)", " * package_hook: Handle failures of removed packages (LP: #2078695)", " * Fix hang when cancelling/closing Apport (LP: #1537310)", " * tests:", " - fix wait_for_gdb_sleeping_child_process (LP: #2073933)", " - fix flaky tests waiting for sleep command (LP: #2076186)", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2078634, 2073935, 2078695, 1537310, 2073933, 2076186 ], "author": "Benjamin Drung ", "date": "Fri, 04 Oct 2024 14:50:27 +0200" } ], "notes": null }, { "name": "bind9-dnsutils", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.28-0ubuntu0.24.04.1", "version": "1:9.18.28-0ubuntu0.24.04.1" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.30-0ubuntu0.24.04.1", "version": "1:9.18.30-0ubuntu0.24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2073310 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release 9.18.30 (LP: #2073310)", " - Features:", " + Print initial working directory during named startup, and changed", " working directory when loading or reloading the configuration file", " + Add max-query-restarts configuration statement", " - Updates:", " + Restrain named to specified number of cores when running via taskset,", " cpuset, or numactl", " + Reduce default max-recursion-queries value from 100 to 32", " + Raise the log level of priming failures", " - Bug Fixes:", " + Fix privacy verification of EDDSA keys", " + Fix algorithm rollover bug when there are two keys with the same keytag", " + Return SERVFAIL for a too long CNAME chain", " + Reconfigure catz member zones during named reconfiguration", " + Update key lifetime and metadata after dnssec-policy reconfiguration", " + Fix generation of 6to4-self name expansion from IPv4 address", " + Fix invalid dig +yaml output", " + Reject zero-length ALPN during SVBC ALPN text parsing", " + Fix false QNAME minimisation error being reported", " + Fix dig +timeout argument when using +http", " - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional", " information.", " * d/p/0002-Add-support-for-reporting-status-via-sd_notify.patch: Refresh for", " new version", "" ], "package": "bind9", "version": "1:9.18.30-0ubuntu0.24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2073310 ], "author": "Lena Voytek ", "date": "Mon, 23 Sep 2024 17:02:05 -0400" } ], "notes": null }, { "name": "bind9-host", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.28-0ubuntu0.24.04.1", "version": "1:9.18.28-0ubuntu0.24.04.1" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.30-0ubuntu0.24.04.1", "version": "1:9.18.30-0ubuntu0.24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2073310 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release 9.18.30 (LP: #2073310)", " - Features:", " + Print initial working directory during named startup, and changed", " working directory when loading or reloading the configuration file", " + Add max-query-restarts configuration statement", " - Updates:", " + Restrain named to specified number of cores when running via taskset,", " cpuset, or numactl", " + Reduce default max-recursion-queries value from 100 to 32", " + Raise the log level of priming failures", " - Bug Fixes:", " + Fix privacy verification of EDDSA keys", " + Fix algorithm rollover bug when there are two keys with the same keytag", " + Return SERVFAIL for a too long CNAME chain", " + Reconfigure catz member zones during named reconfiguration", " + Update key lifetime and metadata after dnssec-policy reconfiguration", " + Fix generation of 6to4-self name expansion from IPv4 address", " + Fix invalid dig +yaml output", " + Reject zero-length ALPN during SVBC ALPN text parsing", " + Fix false QNAME minimisation error being reported", " + Fix dig +timeout argument when using +http", " - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional", " information.", " * d/p/0002-Add-support-for-reporting-status-via-sd_notify.patch: Refresh for", " new version", "" ], "package": "bind9", "version": "1:9.18.30-0ubuntu0.24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2073310 ], "author": "Lena Voytek ", "date": "Mon, 23 Sep 2024 17:02:05 -0400" } ], "notes": null }, { "name": "bind9-libs:riscv64", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.28-0ubuntu0.24.04.1", "version": "1:9.18.28-0ubuntu0.24.04.1" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.18.30-0ubuntu0.24.04.1", "version": "1:9.18.30-0ubuntu0.24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2073310 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release 9.18.30 (LP: #2073310)", " - Features:", " + Print initial working directory during named startup, and changed", " working directory when loading or reloading the configuration file", " + Add max-query-restarts configuration statement", " - Updates:", " + Restrain named to specified number of cores when running via taskset,", " cpuset, or numactl", " + Reduce default max-recursion-queries value from 100 to 32", " + Raise the log level of priming failures", " - Bug Fixes:", " + Fix privacy verification of EDDSA keys", " + Fix algorithm rollover bug when there are two keys with the same keytag", " + Return SERVFAIL for a too long CNAME chain", " + Reconfigure catz member zones during named reconfiguration", " + Update key lifetime and metadata after dnssec-policy reconfiguration", " + Fix generation of 6to4-self name expansion from IPv4 address", " + Fix invalid dig +yaml output", " + Reject zero-length ALPN during SVBC ALPN text parsing", " + Fix false QNAME minimisation error being reported", " + Fix dig +timeout argument when using +http", " - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional", " information.", " * d/p/0002-Add-support-for-reporting-status-via-sd_notify.patch: Refresh for", " new version", "" ], "package": "bind9", "version": "1:9.18.30-0ubuntu0.24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2073310 ], "author": "Lena Voytek ", "date": "Mon, 23 Sep 2024 17:02:05 -0400" } ], "notes": null }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "24.3.1-0ubuntu0~24.04.2", "version": "24.3.1-0ubuntu0~24.04.2" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "24.4-0ubuntu1~24.04.2", "version": "24.4-0ubuntu1~24.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2089577 ], "changes": [ { "cves": [], "log": [ "", " * Fix d/p/no-single-process.patch", " - It didn't contain removal of cloud-init-network.service nor", " the removal of the network.service reference", "" ], "package": "cloud-init", "version": "24.4-0ubuntu1~24.04.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "James Falcon ", "date": "Mon, 02 Dec 2024 13:09:22 -0600" }, { "cves": [], "log": [ "", " * add d/p/grub-dpkg-support.patch", " - Revert the removal of grub-dpkg from default modules", " * refresh patches:", " - d/p/deprecation-version-boundary.patch", " - d/p/no-nocloud-network.patch", " - d/p/no-single-process.patch", " * Upstream snapshot based on 24.4. (LP: #2089577).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/24.4/ChangeLog", "" ], "package": "cloud-init", "version": "24.4-0ubuntu1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2089577 ], "author": "James Falcon ", "date": "Tue, 26 Nov 2024 07:46:41 -0600" } ], "notes": null }, { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.5", "version": "8.5.0-2ubuntu10.5" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.6", "version": "8.5.0-2ubuntu10.6" }, "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: netrc and redirect credential leak", " - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on", " redirect in lib/transfer.c, lib/url.c, lib/urldata.h,", " tests/data/Makefile.inc, tests/data/test998, tests/data/test999.", " - debian/patches/CVE-2024-11053.patch: address several netrc parser", " flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,", " tests/data/test478, tests/data/test479, tests/data/test480,", " tests/unit/unit1304.c.", " - CVE-2024-11053", "" ], "package": "curl", "version": "8.5.0-2ubuntu10.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Dec 2024 11:44:19 -0500" } ], "notes": null }, { "name": "dmidecode", "from_version": { "source_package_name": "dmidecode", "source_package_version": "3.5-3build1", "version": "3.5-3build1" }, "to_version": { "source_package_name": "dmidecode", "source_package_version": "3.5-3ubuntu0.1", "version": "3.5-3ubuntu0.1" }, "cves": [], "launchpad_bugs_fixed": [ 2081611 ], "changes": [ { "cves": [], "log": [ "", " * Add processor support from SMBIOS 3.6.0 (LP: #2081611)", " - debian/patches/lp-2081611-add-processor-support-from-smbios-3.6.0.patch", "" ], "package": "dmidecode", "version": "3.5-3ubuntu0.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2081611 ], "author": "Joao Andre Simioni ", "date": "Mon, 14 Oct 2024 17:25:58 -0300" } ], "notes": null }, { "name": "fwupd", "from_version": { "source_package_name": "fwupd", "source_package_version": "1.9.24-1~24.04.1", "version": "1.9.24-1~24.04.1" }, "to_version": { "source_package_name": "fwupd", "source_package_version": "1.9.27-0ubuntu1~24.04.1", "version": "1.9.27-0ubuntu1~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2085433, 2083801, 2077553, 2076151, 2077411 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version (1.9.27)", " - Support for newer Dell docks (LP: #2085433)", " - Support for mediatek scalar (LP: #2083801)", "" ], "package": "fwupd", "version": "1.9.27-0ubuntu1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085433, 2083801 ], "author": "Mario Limonciello ", "date": "Thu, 05 Dec 2024 09:53:25 -0600" }, { "cves": [], "log": [ "", " * New upstream version (1.9.24)", " - Improves ESP detection false positives (LP: #2077553)", " - Adds support for mediatek scalar (LP: #2076151)", " - Fixes redfish protocol handling (LP: #2077411)", "" ], "package": "fwupd", "version": "1.9.24-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2077553, 2076151, 2077411 ], "author": "Mario Limonciello ", "date": "Wed, 21 Aug 2024 13:39:05 -0500" } ], "notes": null }, { "name": "gir1.2-packagekitglib-1.0", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.2.8-2build3", "version": "1.2.8-2build3" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.2.8-2ubuntu1.1", "version": "1.2.8-2ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2091714, 2086773 ], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to fix unintended dependency on apt which was in", " noble-proposed back then, and caused packagekit to become uninstallable on", " armhf (LP: #2091714)", "" ], "package": "packagekit", "version": "1.2.8-2ubuntu1.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2091714 ], "author": "Andreas Hasenack ", "date": "Fri, 13 Dec 2024 14:07:28 -0300" }, { "cves": [], "log": [ "", " * Backport patch to fix showing the GTK debconf helper on Wayland", " (LP: #2086773)", "" ], "package": "packagekit", "version": "1.2.8-2ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2086773 ], "author": "Alessandro Astone ", "date": "Mon, 11 Nov 2024 16:36:25 +0100" } ], "notes": null }, { "name": "libcurl3t64-gnutls:riscv64", "from_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.5", "version": "8.5.0-2ubuntu10.5" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.6", "version": "8.5.0-2ubuntu10.6" }, "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: netrc and redirect credential leak", " - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on", " redirect in lib/transfer.c, lib/url.c, lib/urldata.h,", " tests/data/Makefile.inc, tests/data/test998, tests/data/test999.", " - debian/patches/CVE-2024-11053.patch: address several netrc parser", " flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,", " tests/data/test478, tests/data/test479, tests/data/test480,", " tests/unit/unit1304.c.", " - CVE-2024-11053", "" ], "package": "curl", "version": "8.5.0-2ubuntu10.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Dec 2024 11:44:19 -0500" } ], "notes": null }, { "name": "libcurl4t64:riscv64", "from_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.5", "version": "8.5.0-2ubuntu10.5" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.6", "version": "8.5.0-2ubuntu10.6" }, "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-11053", "url": "https://ubuntu.com/security/CVE-2024-11053", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.", "cve_priority": "low", "cve_public_date": "2024-12-11 08:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: netrc and redirect credential leak", " - debian/patches/CVE-2024-11053-pre1.patch: use same credentials on", " redirect in lib/transfer.c, lib/url.c, lib/urldata.h,", " tests/data/Makefile.inc, tests/data/test998, tests/data/test999.", " - debian/patches/CVE-2024-11053.patch: address several netrc parser", " flaws in lib/netrc.c, lib/url.c, tests/data/Makefile.inc,", " tests/data/test478, tests/data/test479, tests/data/test480,", " tests/unit/unit1304.c.", " - CVE-2024-11053", "" ], "package": "curl", "version": "8.5.0-2ubuntu10.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Dec 2024 11:44:19 -0500" } ], "notes": null }, { "name": "libexpat1:riscv64", "from_version": { "source_package_name": "expat", "source_package_version": "2.6.1-2ubuntu0.1", "version": "2.6.1-2ubuntu0.1" }, "to_version": { "source_package_name": "expat", "source_package_version": "2.6.1-2ubuntu0.2", "version": "2.6.1-2ubuntu0.2" }, "cves": [ { "cve": "CVE-2024-50602", "url": "https://ubuntu.com/security/CVE-2024-50602", "cve_description": "An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.", "cve_priority": "medium", "cve_public_date": "2024-10-27 05:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-50602", "url": "https://ubuntu.com/security/CVE-2024-50602", "cve_description": "An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.", "cve_priority": "medium", "cve_public_date": "2024-10-27 05:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: denial-of-service via XML_ResumeParser", " - debian/patches/CVE-2024-50602-1.patch: Make function XML_StopParser of", " expat/lib/xmlparse.c refuse to stop/suspend an unstarted parser", " - debian/patches/CVE-2024-50602-2.patch: Add XML_PARSING case to parser", " state in function XML_StopParser of expat/lib/xmlparse.c", " - debian/patches/CVE-2024-50602-3.patch: Add tests for CVE-2024-50602 to", " expat/tests/misc_tests.c", " - CVE-2024-50602 ", "" ], "package": "expat", "version": "2.6.1-2ubuntu0.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Nicolas Campuzano Jimenez ", "date": "Sun, 01 Dec 2024 15:52:41 -0500" } ], "notes": null }, { "name": "libfwupd2:riscv64", "from_version": { "source_package_name": "fwupd", "source_package_version": "1.9.24-1~24.04.1", "version": "1.9.24-1~24.04.1" }, "to_version": { "source_package_name": "fwupd", "source_package_version": "1.9.27-0ubuntu1~24.04.1", "version": "1.9.27-0ubuntu1~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2085433, 2083801, 2077553, 2076151, 2077411 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version (1.9.27)", " - Support for newer Dell docks (LP: #2085433)", " - Support for mediatek scalar (LP: #2083801)", "" ], "package": "fwupd", "version": "1.9.27-0ubuntu1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085433, 2083801 ], "author": "Mario Limonciello ", "date": "Thu, 05 Dec 2024 09:53:25 -0600" }, { "cves": [], "log": [ "", " * New upstream version (1.9.24)", " - Improves ESP detection false positives (LP: #2077553)", " - Adds support for mediatek scalar (LP: #2076151)", " - Fixes redfish protocol handling (LP: #2077411)", "" ], "package": "fwupd", "version": "1.9.24-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2077553, 2076151, 2077411 ], "author": "Mario Limonciello ", "date": "Wed, 21 Aug 2024 13:39:05 -0500" } ], "notes": null }, { "name": "libgstreamer1.0-0:riscv64", "from_version": { "source_package_name": "gstreamer1.0", "source_package_version": "1.24.2-1", "version": "1.24.2-1" }, "to_version": { "source_package_name": "gstreamer1.0", "source_package_version": "1.24.2-1ubuntu0.1", "version": "1.24.2-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2024-47606", "url": "https://ubuntu.com/security/CVE-2024-47606", "cve_description": "GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.", "cve_priority": "medium", "cve_public_date": "2024-12-12 02:03:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-47606", "url": "https://ubuntu.com/security/CVE-2024-47606", "cve_description": "GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.", "cve_priority": "medium", "cve_public_date": "2024-12-12 02:03:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: code exec via integer overflow", " - debian/patches/CVE-2024-47606.patch: avoid integer overflow when", " allocating sysmem in gst/gstallocator.c.", " - CVE-2024-47606", "" ], "package": "gstreamer1.0", "version": "1.24.2-1ubuntu0.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 17 Dec 2024 07:53:48 -0500" } ], "notes": null }, { "name": "libmodule-scandeps-perl", "from_version": { "source_package_name": "libmodule-scandeps-perl", "source_package_version": "1.35-1", "version": "1.35-1" }, "to_version": { "source_package_name": "libmodule-scandeps-perl", "source_package_version": "1.35-1ubuntu0.24.04.1", "version": "1.35-1ubuntu0.24.04.1" }, "cves": [ { "cve": "CVE-2024-10224", "url": "https://ubuntu.com/security/CVE-2024-10224", "cve_description": "Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a \"pesky pipe\" (such as passing \"commands|\" as a filename) or by passing arbitrary strings to eval().", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-10224", "url": "https://ubuntu.com/security/CVE-2024-10224", "cve_description": "Qualys discovered that if unsanitized input was used with the library Modules::ScanDeps, before version 1.36 a local attacker could possibly execute arbitrary shell commands by open()ing a \"pesky pipe\" (such as passing \"commands|\" as a filename) or by passing arbitrary strings to eval().", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: parsing untrusted code", " - d/p/CVE-2024-10224/0001-use-three-argument-open.patch: use a", " three-argument open() alternative", " - d/p/CVE-2024-10224/0002-replace-eval-.-constructs.patch: replace eval ", " with parsing the code instead", " - CVE-2024-10224", "" ], "package": "libmodule-scandeps-perl", "version": "1.35-1ubuntu0.24.04.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Sudhakar Verma ", "date": "Mon, 18 Nov 2024 22:11:43 +0530" } ], "notes": null }, { "name": "libopeniscsiusr", "from_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.9-3ubuntu5.1", "version": "2.1.9-3ubuntu5.1" }, "to_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.9-3ubuntu5.2", "version": "2.1.9-3ubuntu5.2" }, "cves": [], "launchpad_bugs_fixed": [ 2073846 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2073846-setpriority-fix-for-linux-6x-kernel.patch: fix setpriority", " issue for linux kernel version >=6. (LP: #2073846)", "" ], "package": "open-iscsi", "version": "2.1.9-3ubuntu5.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2073846 ], "author": "Mustafa Kemal GILOR ", "date": "Mon, 02 Sep 2024 11:02:19 +0300" } ], "notes": null }, { "name": "libpackagekit-glib2-18:riscv64", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.2.8-2build3", "version": "1.2.8-2build3" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.2.8-2ubuntu1.1", "version": "1.2.8-2ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2091714, 2086773 ], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to fix unintended dependency on apt which was in", " noble-proposed back then, and caused packagekit to become uninstallable on", " armhf (LP: #2091714)", "" ], "package": "packagekit", "version": "1.2.8-2ubuntu1.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2091714 ], "author": "Andreas Hasenack ", "date": "Fri, 13 Dec 2024 14:07:28 -0300" }, { "cves": [], "log": [ "", " * Backport patch to fix showing the GTK debconf helper on Wayland", " (LP: #2086773)", "" ], "package": "packagekit", "version": "1.2.8-2ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2086773 ], "author": "Alessandro Astone ", "date": "Mon, 11 Nov 2024 16:36:25 +0100" } ], "notes": null }, { "name": "libpython3.12-minimal:riscv64", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.2", "version": "3.12.3-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.3", "version": "3.12.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 13:32:19 -0500" } ], "notes": null }, { "name": "libpython3.12-stdlib:riscv64", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.2", "version": "3.12.3-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.3", "version": "3.12.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 13:32:19 -0500" } ], "notes": null }, { "name": "libpython3.12t64:riscv64", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.2", "version": "3.12.3-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.3", "version": "3.12.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 13:32:19 -0500" } ], "notes": null }, { "name": "libudisks2-0:riscv64", "from_version": { "source_package_name": "udisks2", "source_package_version": "2.10.1-6build1", "version": "2.10.1-6build1" }, "to_version": { "source_package_name": "udisks2", "source_package_version": "2.10.1-6ubuntu1", "version": "2.10.1-6ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2038761 ], "changes": [ { "cves": [], "log": [ "", " * d/p/nvme-disk-size.patch: Fix missing size for NVME disk (LP: #2038761).", "" ], "package": "udisks2", "version": "2.10.1-6ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2038761 ], "author": "Nathan Pratta Teodosio ", "date": "Mon, 18 Nov 2024 17:06:30 +0100" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.8.0-49.49.1", "version": "6.8.0-49.49.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.8.0-51.52.1", "version": "6.8.0-51.52.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-51.52.1", "" ], "package": "linux-meta-riscv", "version": "6.8.0-51.52.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Mon, 09 Dec 2024 16:39:07 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-50.51.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv", "version": "6.8.0-50.51.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Emil Renner Berthing ", "date": "Tue, 26 Nov 2024 14:41:12 +0100" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.8.0-49.49.1", "version": "6.8.0-49.49.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.8.0-51.52.1", "version": "6.8.0-51.52.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-51.52.1", "" ], "package": "linux-meta-riscv", "version": "6.8.0-51.52.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Mon, 09 Dec 2024 16:39:07 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-50.51.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv", "version": "6.8.0-50.51.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Emil Renner Berthing ", "date": "Tue, 26 Nov 2024 14:41:12 +0100" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.8.0-49.49.1", "version": "6.8.0-49.49.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.8.0-51.52.1", "version": "6.8.0-51.52.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-51.52.1", "" ], "package": "linux-meta-riscv", "version": "6.8.0-51.52.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Mon, 09 Dec 2024 16:39:07 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-50.51.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv", "version": "6.8.0-50.51.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Emil Renner Berthing ", "date": "Tue, 26 Nov 2024 14:41:12 +0100" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.8.0-49.49.1", "version": "6.8.0-49.49.1" }, "to_version": { "source_package_name": "linux-meta-riscv", "source_package_version": "6.8.0-51.52.1", "version": "6.8.0-51.52.1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-51.52.1", "" ], "package": "linux-meta-riscv", "version": "6.8.0-51.52.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Emil Renner Berthing ", "date": "Mon, 09 Dec 2024 16:39:07 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-50.51.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-riscv", "version": "6.8.0-50.51.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Emil Renner Berthing ", "date": "Tue, 26 Nov 2024 14:41:12 +0100" } ], "notes": null }, { "name": "needrestart", "from_version": { "source_package_name": "needrestart", "source_package_version": "3.6-7ubuntu4.1", "version": "3.6-7ubuntu4.1" }, "to_version": { "source_package_name": "needrestart", "source_package_version": "3.6-7ubuntu4.5", "version": "3.6-7ubuntu4.5" }, "cves": [ { "cve": "CVE-2024-48990", "url": "https://ubuntu.com/security/CVE-2024-48990", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48991", "url": "https://ubuntu.com/security/CVE-2024-48991", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system's real Python interpreter). The initial security fix (6ce6136) introduced a regression which was subsequently resolved (42af5d3).", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48992", "url": "https://ubuntu.com/security/CVE-2024-48992", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-11003", "url": "https://ubuntu.com/security/CVE-2024-11003", "cve_description": "Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps.", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2089193, 2089193, 2084571 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY REGRESSION: false positives for killing processes in LXC", " (LP: #2089193)", " - debian/patches/lp2091096/0021-fix-lxc-fp.patch: use the value of exe", " to check for obsolete processes when exec is undefined", "" ], "package": "needrestart", "version": "3.6-7ubuntu4.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2089193 ], "author": "Sudhakar Verma ", "date": "Thu, 05 Dec 2024 17:23:51 +0530" }, { "cves": [], "log": [ "", " * SECURITY REGRESSION: false positives for killing processes (LP: #2089193)", " - debian/patches/lp2089193/0020-fix-chroot-mountns-fp.patch: ignore check", " for obsolete processes in chrooted or containerized processes", "" ], "package": "needrestart", "version": "3.6-7ubuntu4.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2089193 ], "author": "Sudhakar Verma ", "date": "Tue, 26 Nov 2024 10:44:57 +0530" }, { "cves": [ { "cve": "CVE-2024-48990", "url": "https://ubuntu.com/security/CVE-2024-48990", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48991", "url": "https://ubuntu.com/security/CVE-2024-48991", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (instead of the system's real Python interpreter). The initial security fix (6ce6136) introduced a regression which was subsequently resolved (42af5d3).", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-48992", "url": "https://ubuntu.com/security/CVE-2024-48992", "cve_description": "Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable.", "cve_priority": "high", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-11003", "url": "https://ubuntu.com/security/CVE-2024-11003", "cve_description": "Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps.", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect usage of PYTHONPATH environment variable", " - debian/patches/CVE-2024-48990.patch: chdir to a clean directory ", " to avoid loading arbirary objects, sanitize PYTHONPATH before", " spawning a new python interpreter", " - CVE-2024-48990", " * SECURITY UPDATE: race condition for checking path to python", " - debian/patches/CVE-2024-48991.patch: sync path for both check", " and usage for python interpreter", " - CVE-2024-48991", " * SECURITY UPDATE: incorrect usage of RUBYLIB environment variable", " - debian/patches/CVE-2024-48992.patch: chdir to a clean directory", " to avoid loading arbirary objects, sanitize RUBYLIB before", " spawning a new ruby interpreter", " - CVE-2024-48992", " * SECURITY UPDATE: incorrect usage of Perl ScanDeps", " - debian/patches/CVE-2024-11003.patch: remove usage of ScanDeps", " to avoid parsing arbitrary code", " - CVE-2024-11003 ", "" ], "package": "needrestart", "version": "3.6-7ubuntu4.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Sudhakar Verma ", "date": "Thu, 14 Nov 2024 14:59:09 +0530" }, { "cves": [], "log": [ "", " * Fix container handling (LP: #2084571)", " - d/p/ubuntu-mode.patch: make sure containers aren't restarted from APT", " - d/p/lp2084571/0019-container-fix-always-ignoring-lxc-lxd-instances-regr.patch:", " cherry-picked fix from upstream.", "" ], "package": "needrestart", "version": "3.6-7ubuntu4.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2084571 ], "author": "Simon Chopin ", "date": "Tue, 15 Oct 2024 18:12:58 +0200" } ], "notes": null }, { "name": "open-iscsi", "from_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.9-3ubuntu5.1", "version": "2.1.9-3ubuntu5.1" }, "to_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.9-3ubuntu5.2", "version": "2.1.9-3ubuntu5.2" }, "cves": [], "launchpad_bugs_fixed": [ 2073846 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2073846-setpriority-fix-for-linux-6x-kernel.patch: fix setpriority", " issue for linux kernel version >=6. (LP: #2073846)", "" ], "package": "open-iscsi", "version": "2.1.9-3ubuntu5.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2073846 ], "author": "Mustafa Kemal GILOR ", "date": "Mon, 02 Sep 2024 11:02:19 +0300" } ], "notes": null }, { "name": "packagekit", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.2.8-2build3", "version": "1.2.8-2build3" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.2.8-2ubuntu1.1", "version": "1.2.8-2ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2091714, 2086773 ], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to fix unintended dependency on apt which was in", " noble-proposed back then, and caused packagekit to become uninstallable on", " armhf (LP: #2091714)", "" ], "package": "packagekit", "version": "1.2.8-2ubuntu1.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2091714 ], "author": "Andreas Hasenack ", "date": "Fri, 13 Dec 2024 14:07:28 -0300" }, { "cves": [], "log": [ "", " * Backport patch to fix showing the GTK debconf helper on Wayland", " (LP: #2086773)", "" ], "package": "packagekit", "version": "1.2.8-2ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2086773 ], "author": "Alessandro Astone ", "date": "Mon, 11 Nov 2024 16:36:25 +0100" } ], "notes": null }, { "name": "packagekit-tools", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.2.8-2build3", "version": "1.2.8-2build3" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.2.8-2ubuntu1.1", "version": "1.2.8-2ubuntu1.1" }, "cves": [], "launchpad_bugs_fixed": [ 2091714, 2086773 ], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to fix unintended dependency on apt which was in", " noble-proposed back then, and caused packagekit to become uninstallable on", " armhf (LP: #2091714)", "" ], "package": "packagekit", "version": "1.2.8-2ubuntu1.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2091714 ], "author": "Andreas Hasenack ", "date": "Fri, 13 Dec 2024 14:07:28 -0300" }, { "cves": [], "log": [ "", " * Backport patch to fix showing the GTK debconf helper on Wayland", " (LP: #2086773)", "" ], "package": "packagekit", "version": "1.2.8-2ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2086773 ], "author": "Alessandro Astone ", "date": "Mon, 11 Nov 2024 16:36:25 +0100" } ], "notes": null }, { "name": "python3-apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.1", "version": "2.28.1-0ubuntu3.1" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.3", "version": "2.28.1-0ubuntu3.3" }, "cves": [], "launchpad_bugs_fixed": [ 2078634, 2073935, 2078695, 1537310, 2073933, 2076186 ], "changes": [ { "cves": [], "log": [ "", " * Depend on gdb-multiarch and python3-psutil for system tests", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 26 Oct 2024 13:50:11 +0200" }, { "cves": [], "log": [ "", " * Remove obsolete apport init.d and bash-completion conffiles (LP: #2078634)", " * recent-syslog: read stdout after process completion (LP: #2073935)", " * package_hook: Handle failures of removed packages (LP: #2078695)", " * Fix hang when cancelling/closing Apport (LP: #1537310)", " * tests:", " - fix wait_for_gdb_sleeping_child_process (LP: #2073933)", " - fix flaky tests waiting for sleep command (LP: #2076186)", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2078634, 2073935, 2078695, 1537310, 2073933, 2076186 ], "author": "Benjamin Drung ", "date": "Fri, 04 Oct 2024 14:50:27 +0200" } ], "notes": null }, { "name": "python3-problem-report", "from_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.1", "version": "2.28.1-0ubuntu3.1" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.28.1-0ubuntu3.3", "version": "2.28.1-0ubuntu3.3" }, "cves": [], "launchpad_bugs_fixed": [ 2078634, 2073935, 2078695, 1537310, 2073933, 2076186 ], "changes": [ { "cves": [], "log": [ "", " * Depend on gdb-multiarch and python3-psutil for system tests", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 26 Oct 2024 13:50:11 +0200" }, { "cves": [], "log": [ "", " * Remove obsolete apport init.d and bash-completion conffiles (LP: #2078634)", " * recent-syslog: read stdout after process completion (LP: #2073935)", " * package_hook: Handle failures of removed packages (LP: #2078695)", " * Fix hang when cancelling/closing Apport (LP: #1537310)", " * tests:", " - fix wait_for_gdb_sleeping_child_process (LP: #2073933)", " - fix flaky tests waiting for sleep command (LP: #2076186)", "" ], "package": "apport", "version": "2.28.1-0ubuntu3.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2078634, 2073935, 2078695, 1537310, 2073933, 2076186 ], "author": "Benjamin Drung ", "date": "Fri, 04 Oct 2024 14:50:27 +0200" } ], "notes": null }, { "name": "python3-software-properties", "from_version": { "source_package_name": "software-properties", "source_package_version": "0.99.48", "version": "0.99.48" }, "to_version": { "source_package_name": "software-properties", "source_package_version": "0.99.49.1", "version": "0.99.49.1" }, "cves": [], "launchpad_bugs_fixed": [ 2073742, 2069433, 2061214 ], "changes": [ { "cves": [], "log": [ "", " [ James Page ]", " * cloudarchive: Enable support for the Dalmatian Ubuntu Cloud Archive on", " 24.04 (LP: #2073742).", "", " [ Julian Andres Klode ]", " * Reload the source code state when reloading sources.list (LP: #2069433)", "" ], "package": "software-properties", "version": "0.99.49.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2073742, 2069433 ], "author": "Julian Andres Klode ", "date": "Thu, 15 Aug 2024 09:26:12 +0100" }, { "cves": [], "log": [ "", " * Add Qt frontend for deb822 sources, which is now the default in Noble", " (LP: #2061214).", "" ], "package": "software-properties", "version": "0.99.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2061214 ], "author": "Simon Quigley ", "date": "Mon, 22 Apr 2024 14:22:26 -0500" } ], "notes": null }, { "name": "python3.12", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.2", "version": "3.12.3-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.3", "version": "3.12.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 13:32:19 -0500" } ], "notes": null }, { "name": "python3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.2", "version": "3.12.3-1ubuntu0.2" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.3", "version": "3.12.3-1ubuntu0.3" }, "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-9287", "url": "https://ubuntu.com/security/CVE-2024-9287", "cve_description": "A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment \"activation\" scripts (ie \"source venv/bin/activate\"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie \"./venv/bin/python\") are not affected.", "cve_priority": "medium", "cve_public_date": "2024-10-22 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect quoting in venv module", " - debian/patches/CVE-2024-9287.patch: quote template strings in venv", " activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,", " Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,", " Lib/venv/scripts/posix/activate.csh,", " Lib/venv/scripts/posix/activate.fish.", " - CVE-2024-9287", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 06 Nov 2024 13:32:19 -0500" } ], "notes": null }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.65.3+24.04", "version": "2.65.3+24.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.66.1+24.04", "version": "2.66.1+24.04" }, "cves": [], "launchpad_bugs_fixed": [ 2083490, 2083490, 2077473 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2083490", " - AppArmor prompting (experimental): Fix kernel prompting support", " check", " - Allow kernel snaps to have content slots", " - Fix ignoring snaps in try mode when amending", "" ], "package": "snapd", "version": "2.66.1+24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2083490 ], "author": "Ernest Lotter ", "date": "Fri, 11 Oct 2024 10:05:46 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2083490", " - AppArmor prompting (experimental): expand kernel support checks", " - AppArmor prompting (experimental): consolidate error messages and", " add error kinds", " - AppArmor prompting (experimental): grant /v2/snaps/{name} via", " snap-interfaces-requests-control", " - AppArmor prompting (experimental): add checks for duplicate", " pattern variants", " - Registry views (experimental): add handlers that commit (and", " cleanup) registry transactions", " - Registry views (experimental): add a snapctl fail command for", " rejecting registry transactions", " - Registry views (experimental): allow custodian snaps to implement", " registry hooks that modify and save registry data", " - Registry views (experimental): run view-changed hooks only for", " snaps plugging views affected by modified paths", " - Registry views (experimental): make registry transactions", " serialisable", " - Snap components: handle refreshing components to revisions that", " have been on the system before", " - Snap components: enable creating Ubuntu Core images that contain", " components", " - Snap components: handle refreshing components independently of", " snaps", " - Snap components: handle removing components when refreshing a snap", " that no longer defines them", " - Snap components: extend snapd Ubuntu Core installation API to", " allow for picking optional snaps and components to install", " - Snap components: extend kernel.yaml with \"dynamic-modules\",", " allowing kernel to define a location for kmods from component", " hooks", " - Snap components: renamed component type \"test\" to \"standard\"", " - Desktop IDs: support installing desktop files with custom names", " based on desktop-file-ids desktop interface plug attr", " - Auto-install snapd on classic systems as prerequisite for any non-", " essential snap install", " - Support loading AppArmor profiles on WSL2 with non-default kernel", " and securityfs mounted", " - Debian/Fedora packaging updates", " - Add snap debug command for investigating execution aspects of the", " snap toolchain", " - Improve snap pack error for easier parsing", " - Add support for user services when refreshing snaps", " - Add snap remove --terminate flag for terminating running snap", " processes", " - Support building FIPS complaint snapd deb and snap", " - Fix to not use nss when looking up for users/groups from snapd", " snap", " - Fix ordering in which layout changes are saved", " - Patch snapd snap dynamic linker to ignore LD_LIBRARY_PATH and", " related variables", " - Fix libexec dir for openSUSE Slowroll", " - Fix handling of the shared snap directory for parallel installs", " - Allow writing to /run/systemd/journal/dev-log by default", " - Avoid state lock during snap removal to avoid delaying other snapd", " operations", " - Add nomad-support interface to enable running Hashicorp Nomad", " - Add intel-qat interface", " - u2f-devices interface: add u2f trustkey t120 product id and fx", " series fido u2f devices", " - desktop interface: improve integration with xdg-desktop-portal", " - desktop interface: add desktop-file-ids plug attr to desktop", " interface", " - unity7 interface: support desktop-file-ids in desktop files rule", " generation", " - desktop-legacy interface: support desktop-file-ids in desktop", " files rule generation", " - desktop-legacy interface: grant access to gcin socket location", " - login-session-observe interface: allow introspection", " - custom-device interface: allow to explicitly identify matching", " device in udev tagging block", " - system-packages-doc interface: allow reading /usr/share/javascript", " - modem-manager interface: add new format of WWAN ports", " - pcscd interface: allow pcscd to read opensc.conf", " - cpu-control interface: add IRQ affinity control to cpu_control", " - opengl interface: add support for cuda workloads on Tegra iGPU in", " opengl interface", "" ], "package": "snapd", "version": "2.66", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2083490 ], "author": "Ernest Lotter ", "date": "Fri, 04 Oct 2024 14:22:03 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2077473", " - Fix missing aux info from store on snap setup", "" ], "package": "snapd", "version": "2.65.3", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2077473 ], "author": "Ernest Lotter ", "date": "Thu, 12 Sep 2024 09:40:17 +0200" } ], "notes": null }, { "name": "software-properties-common", "from_version": { "source_package_name": "software-properties", "source_package_version": "0.99.48", "version": "0.99.48" }, "to_version": { "source_package_name": "software-properties", "source_package_version": "0.99.49.1", "version": "0.99.49.1" }, "cves": [], "launchpad_bugs_fixed": [ 2073742, 2069433, 2061214 ], "changes": [ { "cves": [], "log": [ "", " [ James Page ]", " * cloudarchive: Enable support for the Dalmatian Ubuntu Cloud Archive on", " 24.04 (LP: #2073742).", "", " [ Julian Andres Klode ]", " * Reload the source code state when reloading sources.list (LP: #2069433)", "" ], "package": "software-properties", "version": "0.99.49.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2073742, 2069433 ], "author": "Julian Andres Klode ", "date": "Thu, 15 Aug 2024 09:26:12 +0100" }, { "cves": [], "log": [ "", " * Add Qt frontend for deb822 sources, which is now the default in Noble", " (LP: #2061214).", "" ], "package": "software-properties", "version": "0.99.49", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2061214 ], "author": "Simon Quigley ", "date": "Mon, 22 Apr 2024 14:22:26 -0500" } ], "notes": null }, { "name": "sosreport", "from_version": { "source_package_name": "sosreport", "source_package_version": "4.7.2-0ubuntu1~24.04.1", "version": "4.7.2-0ubuntu1~24.04.1" }, "to_version": { "source_package_name": "sosreport", "source_package_version": "4.7.2-0ubuntu1~24.04.2", "version": "4.7.2-0ubuntu1~24.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2085607 ], "changes": [ { "cves": [], "log": [ "", " * Resolve obfuscation issues (LP: #2085607)", " - d/p/0003-sunbeam_hypervisor-Fix-obfuscation-for-ceilometer-an.patch:", " The sunbeam plugin was added recently, but ceilometer wasn't there.", " - d/p/0004-heat-Obfuscate-Add-auth_encryption_key-in-config.patch:", " The configuration option auth_encryption_key was not being", " obfuscated by default.", " - d/p/0005-placement-Obfuscate-passwords-that-have-been-missed.patch", " The NOVA_API_PASS and PLACEMENT_PASS were not being obfuscated", " in one of the config files.", " - d/p/0006-mysql-Add-obfuscation-for-password-in-conf-files.patch:", " The password field in one of the config files was not being obfuscated.", "" ], "package": "sosreport", "version": "4.7.2-0ubuntu1~24.04.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085607 ], "author": "Arif Ali ", "date": "Thu, 24 Oct 2024 06:45:01 +0000" } ], "notes": null }, { "name": "ssh-import-id", "from_version": { "source_package_name": "ssh-import-id", "source_package_version": "5.11-0ubuntu2", "version": "5.11-0ubuntu2" }, "to_version": { "source_package_name": "ssh-import-id", "source_package_version": "5.11-0ubuntu2.24.04.1", "version": "5.11-0ubuntu2.24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2085898 ], "changes": [ { "cves": [], "log": [ "", " * Ensure ssh-import-id (the binary package) depends on python3-launchpadlib.", " This fixes a crash where ssh-import-id would raise a ModuleNotFoundError", " exception if python3-launchpadlib is not installed. (LP: #2085898).", "" ], "package": "ssh-import-id", "version": "5.11-0ubuntu2.24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2085898 ], "author": "Olivier Gayot ", "date": "Wed, 30 Oct 2024 10:19:01 +0100" } ], "notes": null }, { "name": "udisks2", "from_version": { "source_package_name": "udisks2", "source_package_version": "2.10.1-6build1", "version": "2.10.1-6build1" }, "to_version": { "source_package_name": "udisks2", "source_package_version": "2.10.1-6ubuntu1", "version": "2.10.1-6ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2038761 ], "changes": [ { "cves": [], "log": [ "", " * d/p/nvme-disk-size.patch: Fix missing size for NVME disk (LP: #2038761).", "" ], "package": "udisks2", "version": "2.10.1-6ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2038761 ], "author": "Nathan Pratta Teodosio ", "date": "Mon, 18 Nov 2024 17:06:30 +0100" } ], "notes": null }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.5", "version": "2:9.1.0016-1ubuntu7.5" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 15:34:03 -0330" } ], "notes": null }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.5", "version": "2:9.1.0016-1ubuntu7.5" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 15:34:03 -0330" } ], "notes": null }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.5", "version": "2:9.1.0016-1ubuntu7.5" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 15:34:03 -0330" } ], "notes": null }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.5", "version": "2:9.1.0016-1ubuntu7.5" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 15:34:03 -0330" } ], "notes": null }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.4", "version": "2:9.1.0016-1ubuntu7.4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.5", "version": "2:9.1.0016-1ubuntu7.5" }, "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-47814", "url": "https://ubuntu.com/security/CVE-2024-47814", "cve_description": "Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are advised to upgrade. There are no known workarounds for this vulnerability.", "cve_priority": "low", "cve_public_date": "2024-10-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Use after free when closing a buffer.", " - debian/patches/CVE-2024-47814.patch: Add buf_locked() in src/buffer.c.", " Abort autocommands editing a file when buf_locked() in src/ex_cmds.c.", " Add buf_locked() in src/proto/buffer.pro.", " - CVE-2024-47814", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 06 Nov 2024 15:34:03 -0330" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-6.8.0-51-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-49.49.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-51.52.1", "version": "6.8.0-51.52.1" }, "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-49967", "url": "https://ubuntu.com/security/CVE-2024-49967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: no need to continue when the number of entries is 1", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" }, { "cve": "CVE-2024-46823", "url": "https://ubuntu.com/security/CVE-2024-46823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the 'overflow_allocation_test' function scope. However, it is being used as a driver name when calling 'kunit_driver_create' from 'kunit_device_register'. It produces the kernel panic with KASAN enabled. Since this variable is used in one place only, remove it and pass the device name into kunit_device_register directly as an ascii string.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46834", "url": "https://ubuntu.com/security/CVE-2024-46834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 (\"bnxt: fix crashes when reducing ring count with active RSS contexts\") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46751", "url": "https://ubuntu.com/security/CVE-2024-46751", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46753", "url": "https://ubuntu.com/security/CVE-2024-46753", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46841", "url": "https://ubuntu.com/security/CVE-2024-46841", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46754", "url": "https://ubuntu.com/security/CVE-2024-46754", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a (\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46824", "url": "https://ubuntu.com/security/CVE-2024-46824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls with something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9 Hardware name: linux,dummy-virt (DT) pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c) pc : 0x0 lr : iommufd_hwpt_invalidate+0xa4/0x204 sp : ffff800080f3bcc0 x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0 x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000 x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002 x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80 Call trace: 0x0 iommufd_fops_ioctl+0x154/0x274 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xb4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 All existing drivers implement this op for nesting, this is mostly a bisection aid.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46842", "url": "https://ubuntu.com/security/CVE-2024-46842", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46766", "url": "https://ubuntu.com/security/CVE-2024-46766", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: move netif_queue_set_napi to rtnl-protected sections Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnl_lock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point. Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked. Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below. [ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] [ +0.000002] dump_stack_lvl+0x60/0x80 [ +0.000007] print_report+0xce/0x630 [ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000007] ? __virt_addr_valid+0x1c9/0x2c0 [ +0.000005] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000003] kasan_report+0xe9/0x120 [ +0.000004] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000004] netif_queue_set_napi+0x1c2/0x1e0 [ +0.000005] ice_vsi_close+0x161/0x670 [ice] [ +0.000114] ice_dis_vsi+0x22f/0x270 [ice] [ +0.000095] ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] ice_prepare_for_reset+0x299/0x750 [ice] [ +0.000087] pci_dev_save_and_disable+0x82/0xd0 [ +0.000006] pci_reset_function+0x12d/0x230 [ +0.000004] reset_store+0xa0/0x100 [ +0.000006] ? __pfx_reset_store+0x10/0x10 [ +0.000002] ? __pfx_mutex_lock+0x10/0x10 [ +0.000004] ? __check_object_size+0x4c1/0x640 [ +0.000007] kernfs_fop_write_iter+0x30b/0x4a0 [ +0.000006] vfs_write+0x5d6/0xdf0 [ +0.000005] ? fd_install+0x180/0x350 [ +0.000005] ? __pfx_vfs_write+0x10/0xA10 [ +0.000004] ? do_fcntl+0x52c/0xcd0 [ +0.000004] ? kasan_save_track+0x13/0x60 [ +0.000003] ? kasan_save_free_info+0x37/0x60 [ +0.000006] ksys_write+0xfa/0x1d0 [ +0.000003] ? __pfx_ksys_write+0x10/0x10 [ +0.000002] ? __x64_sys_fcntl+0x121/0x180 [ +0.000004] ? _raw_spin_lock+0x87/0xe0 [ +0.000005] do_syscall_64+0x80/0x170 [ +0.000007] ? _raw_spin_lock+0x87/0xe0 [ +0.000004] ? __pfx__raw_spin_lock+0x10/0x10 [ +0.000003] ? file_close_fd_locked+0x167/0x230 [ +0.000005] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000005] ? do_syscall_64+0x8c/0x170 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filp_close+0x19/0x30 [ +0.000004] ? do_dup2+0x25a/0x4c0 [ +0.000004] ? __x64_sys_dup2+0x6e/0x2e0 [ +0.000002] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? __count_memcg_events+0x113/0x380 [ +0.000005] ? handle_mm_fault+0x136/0x820 [ +0.000005] ? do_user_addr_fault+0x444/0xa80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000002] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46772", "url": "https://ubuntu.com/security/CVE-2024-46772", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46774", "url": "https://ubuntu.com/security/CVE-2024-46774", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46775", "url": "https://ubuntu.com/security/CVE-2024-46775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46778", "url": "https://ubuntu.com/security/CVE-2024-46778", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46779", "url": "https://ubuntu.com/security/CVE-2024-46779", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46792", "url": "https://ubuntu.com/security/CVE-2024-46792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46793", "url": "https://ubuntu.com/security/CVE-2024-46793", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy Component via COMP_DUMMY()\") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the \"dummy\" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 (\"ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards\") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46735", "url": "https://ubuntu.com/security/CVE-2024-46735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46737", "url": "https://ubuntu.com/security/CVE-2024-46737", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46822", "url": "https://ubuntu.com/security/CVE-2024-46822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46713", "url": "https://ubuntu.com/security/CVE-2024-46713", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.", "cve_priority": "medium", "cve_public_date": "2024-09-13 15:15:00 UTC" }, { "cve": "CVE-2024-46739", "url": "https://ubuntu.com/security/CVE-2024-46739", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46740", "url": "https://ubuntu.com/security/CVE-2024-46740", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46741", "url": "https://ubuntu.com/security/CVE-2024-46741", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47663", "url": "https://ubuntu.com/security/CVE-2024-47663", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46832", "url": "https://ubuntu.com/security/CVE-2024-46832", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU. We also skipped saving IRQ number to struct clock_event_device *cd as it's never used by clockevent core, as per comments it's only meant for \"non CPU local devices\".", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47668", "url": "https://ubuntu.com/security/CVE-2024-47668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46744", "url": "https://ubuntu.com/security/CVE-2024-46744", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a \"KMSAN: uninit-value in pick_link\" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46745", "url": "https://ubuntu.com/security/CVE-2024-46745", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46746", "url": "https://ubuntu.com/security/CVE-2024-46746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47664", "url": "https://ubuntu.com/security/CVE-2024-47664", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-47665", "url": "https://ubuntu.com/security/CVE-2024-47665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Definitely condition dma_get_cache_alignment * defined value > 256 during driver initialization is not reason to BUG_ON(). Turn that to graceful error out with -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46749", "url": "https://ubuntu.com/security/CVE-2024-46749", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46750", "url": "https://ubuntu.com/security/CVE-2024-46750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the \"bus\" and \"cxl_bus\" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46752", "url": "https://ubuntu.com/security/CVE-2024-46752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory).", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46840", "url": "https://ubuntu.com/security/CVE-2024-46840", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46755", "url": "https://ubuntu.com/security/CVE-2024-46755", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid=\"somessid\" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk=\"12345678\" } When waiting for the AP to be established, interrupting wpa_supplicant with and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47666", "url": "https://ubuntu.com/security/CVE-2024-47666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46843", "url": "https://ubuntu.com/security/CVE-2024-46843", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause a kernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before adding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host has been defered after MCQ configuration introduced by commit 0cab4023ec7b (\"scsi: ufs: core: Defer adding host to SCSI if MCQ is supported\"). To guarantee that SCSI host is removed only if it has been added, set the scsi_host_added flag to true after adding a SCSI host and check whether it is set or not before removing it.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46760", "url": "https://ubuntu.com/security/CVE-2024-46760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46761", "url": "https://ubuntu.com/security/CVE-2024-46761", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46844", "url": "https://ubuntu.com/security/CVE-2024-46844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46762", "url": "https://ubuntu.com/security/CVE-2024-46762", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. Use SRCU locking to prevent the same, as is done for the KVM implementation for irqfds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46763", "url": "https://ubuntu.com/security/CVE-2024-46763", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46765", "url": "https://ubuntu.com/security/CVE-2024-46765", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46767", "url": "https://ubuntu.com/security/CVE-2024-46767", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46768", "url": "https://ubuntu.com/security/CVE-2024-46768", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can be NULL. Check for such a situation and ignore the event in such a case.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46770", "url": "https://ubuntu.com/security/CVE-2024-46770", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: \t# echo 1 > /sys/class/net//device/reset when reset is in progress try to get coalesce settings using ethtool: \t# ethtool -c BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46771", "url": "https://ubuntu.com/security/CVE-2024-46771", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46773", "url": "https://ubuntu.com/security/CVE-2024-46773", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47667", "url": "https://ubuntu.com/security/CVE-2024-47667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 (SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an inbound PCIe TLP spans more than two internal AXI 128-byte bursts, the bus may corrupt the packet payload and the corrupt data may cause associated applications or the processor to hang. The workaround for Errata #i2037 is to limit the maximum read request size and maximum payload size to 128 bytes. Add workaround for Errata #i2037 here. The errata and workaround is applicable only to AM65x SR 1.0 and later versions of the silicon will have this fixed. [1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46835", "url": "https://ubuntu.com/security/CVE-2024-46835", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46776", "url": "https://ubuntu.com/security/CVE-2024-46776", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46836", "url": "https://ubuntu.com/security/CVE-2024-46836", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46777", "url": "https://ubuntu.com/security/CVE-2024-46777", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46825", "url": "https://ubuntu.com/security/CVE-2024-46825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is normally called with input from the firmware, so it should use IWL_FW_CHECK() instead of WARN_ON().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46827", "url": "https://ubuntu.com/security/CVE-2024-46827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. This issue arises when EHT-PHY capabilities shows support for a bandwidth and MCS-NSS set for that particular bandwidth is filled by zeros and due to this, driver obtains peer_nss as 0 and sending this value to firmware causes crash. Address this issue by implementing a validation step for the peer_nss value before passing it to the firmware. If the value is greater than zero, proceed with forwarding it to the firmware. However, if the value is invalid, reject the association request to prevent potential firmware crashes. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47669", "url": "https://ubuntu.com/security/CVE-2024-47669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 (\"nilfs2: separate wait function from nilfs_segctor_write\") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the \"sc_dirty_files\" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46780", "url": "https://ubuntu.com/security/CVE-2024-46780", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore \"nilfs->ns_sem\". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46781", "url": "https://ubuntu.com/security/CVE-2024-46781", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46828", "url": "https://ubuntu.com/security/CVE-2024-46828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46782", "url": "https://ubuntu.com/security/CVE-2024-46782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46783", "url": "https://ubuntu.com/security/CVE-2024-46783", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46784", "url": "https://ubuntu.com/security/CVE-2024-46784", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46785", "url": "https://ubuntu.com/security/CVE-2024-46785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo \"p:kp submit_bio\" > /sys/kernel/debug/tracing/kprobe_events echo \"\" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46786", "url": "https://ubuntu.com/security/CVE-2024-46786", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46787", "url": "https://ubuntu.com/security/CVE-2024-46787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ pmdp_get_lockless() [reads none pmd] __pte_alloc [no-op] BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow pte_offset_map[_lock]() to fail\"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no \"struct page\" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding \"struct page\" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46838", "url": "https://ubuntu.com/security/CVE-2024-46838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in file mappings without holding the mmap lock, these BUG_ON()s are wrong - get rid of them. We could also remove the preceding \"if (unlikely(...))\" block, but then we could reach pte_offset_map_lock() with transhuge pages not just for file mappings but also for anonymous mappings - which would probably be fine but I think is not necessarily expected.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46845", "url": "https://ubuntu.com/security/CVE-2024-46845", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46788", "url": "https://ubuntu.com/security/CVE-2024-46788", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it \"exit\" before it actually exits. Since kthread ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46846", "url": "https://ubuntu.com/security/CVE-2024-46846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 (\"spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops\") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46847", "url": "https://ubuntu.com/security/CVE-2024-46847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 (\"mm: fix incorrect vbq reference in purge_fragmented_block\") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46791", "url": "https://ubuntu.com/security/CVE-2024-46791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46829", "url": "https://ubuntu.com/security/CVE-2024-46829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the good case it returns with the lock held and in the deadlock case it emits a warning and goes into an endless scheduling loop with the lock held, which triggers the 'scheduling in atomic' warning. Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning and dropping into the schedule for ever loop. [ tglx: Moved unlock before the WARN(), removed the pointless comment, \tmassaged changelog, added Fixes tag ]", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46848", "url": "https://ubuntu.com/security/CVE-2024-46848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46794", "url": "https://ubuntu.com/security/CVE-2024-46794", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46795", "url": "https://ubuntu.com/security/CVE-2024-46795", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46797", "url": "https://ubuntu.com/security/CVE-2024-46797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the \"next\" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's \"next\" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \\ --maximize --oomable --verify --syslog \\ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ? | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ? | Interrupt | (happens before \"nodes[0].lock = B\") | | | ? | spin_lock_irqsave(A) | | | ? | id = qnodesp->count++ | nodes[1].lock = A | | | ? | Tail of MCS queue | | spin_lock_irqsave(A) ? | Head of MCS queue ? | CPU0 is previous tail ? | Spin indefinitely ? (until \"nodes[1].next != NULL\") prev = get_tail_qnode(A, CPU0) | ? prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46830", "url": "https://ubuntu.com/security/CVE-2024-46830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory. Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS. ============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted ----------------------------- include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm] stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? kvm_vcpu_ioctl+0x7d/0x970 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? lock_acquire+0xba/0x2d0 ? find_held_lock+0x2b/0x80 ? do_user_addr_fault+0x40c/0x6f0 ? lock_release+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539 ", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46798", "url": "https://ubuntu.com/security/CVE-2024-46798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46831", "url": "https://ubuntu.com/security/CVE-2024-46831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46747", "url": "https://ubuntu.com/security/CVE-2024-46747", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46725", "url": "https://ubuntu.com/security/CVE-2024-46725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46724", "url": "https://ubuntu.com/security/CVE-2024-46724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46723", "url": "https://ubuntu.com/security/CVE-2024-46723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46743", "url": "https://ubuntu.com/security/CVE-2024-46743", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg=\"func of_irq_parse_* +p\"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46757", "url": "https://ubuntu.com/security/CVE-2024-46757", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775-core) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46759", "url": "https://ubuntu.com/security/CVE-2024-46759", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46758", "url": "https://ubuntu.com/security/CVE-2024-46758", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm95234) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46756", "url": "https://ubuntu.com/security/CVE-2024-46756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46738", "url": "https://ubuntu.com/security/CVE-2024-46738", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove().", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46722", "url": "https://ubuntu.com/security/CVE-2024-46722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-42284", "url": "https://ubuntu.com/security/CVE-2024-42284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44987", "url": "https://ubuntu.com/security/CVE-2024-44987", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" }, { "cve": "CVE-2024-42301", "url": "https://ubuntu.com/security/CVE-2024-42301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44998", "url": "https://ubuntu.com/security/CVE-2024-44998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference \"skb\" after calling vcc->push() because the skb is released.", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2090364, 2090369, 1786013, 2087886, 2086298, 2085849, 1786013, 2086301, 1786013, 2086138, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2084513, 2084941, 2083022, 2078038, 2084526, 2084834, 2081079, 2084225, 2081786, 2084225, 2084005, 2082423, 2084005, 2064176, 2081863, 2081785, 2083182, 2083701, 2077861, 2083794, 2083656, 2083488, 2083022, 2083488, 2077287, 2083488, 2083196, 2083196 ], "changes": [ { "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-49967", "url": "https://ubuntu.com/security/CVE-2024-49967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: no need to continue when the number of entries is 1", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" } ], "log": [ "", " * noble/linux-riscv: 6.8.0-51.52.1 -proposed tracker (LP: #2090364)", "", " [ Ubuntu: 6.8.0-51.52 ]", "", " * noble/linux: 6.8.0-51.52 -proposed tracker (LP: #2090369)", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] update variants", " * MGLRU: kswapd uses 100% CPU when MGLRU is enabled and under memory pressure", " (LP: #2087886)", " - mm/mglru: only clear kswapd_failures if reclaimable", " * CVE-2024-50264", " - vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans", " * CVE-2024-53057", " - net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", " * CVE-2024-49967", " - ext4: no need to continue when the number of entries is 1", "" ], "package": "linux-riscv", "version": "6.8.0-51.52.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2090364, 2090369, 1786013, 2087886 ], "author": "Emil Renner Berthing ", "date": "Mon, 09 Dec 2024 16:25:59 +0100" }, { "cves": [ { "cve": "CVE-2024-46823", "url": "https://ubuntu.com/security/CVE-2024-46823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the 'overflow_allocation_test' function scope. However, it is being used as a driver name when calling 'kunit_driver_create' from 'kunit_device_register'. It produces the kernel panic with KASAN enabled. Since this variable is used in one place only, remove it and pass the device name into kunit_device_register directly as an ascii string.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46834", "url": "https://ubuntu.com/security/CVE-2024-46834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 (\"bnxt: fix crashes when reducing ring count with active RSS contexts\") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46751", "url": "https://ubuntu.com/security/CVE-2024-46751", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46753", "url": "https://ubuntu.com/security/CVE-2024-46753", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46841", "url": "https://ubuntu.com/security/CVE-2024-46841", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46754", "url": "https://ubuntu.com/security/CVE-2024-46754", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a (\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46824", "url": "https://ubuntu.com/security/CVE-2024-46824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls with something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9 Hardware name: linux,dummy-virt (DT) pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c) pc : 0x0 lr : iommufd_hwpt_invalidate+0xa4/0x204 sp : ffff800080f3bcc0 x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0 x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000 x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002 x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80 Call trace: 0x0 iommufd_fops_ioctl+0x154/0x274 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xb4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 All existing drivers implement this op for nesting, this is mostly a bisection aid.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46842", "url": "https://ubuntu.com/security/CVE-2024-46842", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46766", "url": "https://ubuntu.com/security/CVE-2024-46766", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: move netif_queue_set_napi to rtnl-protected sections Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnl_lock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point. Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked. Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below. [ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] [ +0.000002] dump_stack_lvl+0x60/0x80 [ +0.000007] print_report+0xce/0x630 [ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000007] ? __virt_addr_valid+0x1c9/0x2c0 [ +0.000005] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000003] kasan_report+0xe9/0x120 [ +0.000004] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000004] netif_queue_set_napi+0x1c2/0x1e0 [ +0.000005] ice_vsi_close+0x161/0x670 [ice] [ +0.000114] ice_dis_vsi+0x22f/0x270 [ice] [ +0.000095] ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] ice_prepare_for_reset+0x299/0x750 [ice] [ +0.000087] pci_dev_save_and_disable+0x82/0xd0 [ +0.000006] pci_reset_function+0x12d/0x230 [ +0.000004] reset_store+0xa0/0x100 [ +0.000006] ? __pfx_reset_store+0x10/0x10 [ +0.000002] ? __pfx_mutex_lock+0x10/0x10 [ +0.000004] ? __check_object_size+0x4c1/0x640 [ +0.000007] kernfs_fop_write_iter+0x30b/0x4a0 [ +0.000006] vfs_write+0x5d6/0xdf0 [ +0.000005] ? fd_install+0x180/0x350 [ +0.000005] ? __pfx_vfs_write+0x10/0xA10 [ +0.000004] ? do_fcntl+0x52c/0xcd0 [ +0.000004] ? kasan_save_track+0x13/0x60 [ +0.000003] ? kasan_save_free_info+0x37/0x60 [ +0.000006] ksys_write+0xfa/0x1d0 [ +0.000003] ? __pfx_ksys_write+0x10/0x10 [ +0.000002] ? __x64_sys_fcntl+0x121/0x180 [ +0.000004] ? _raw_spin_lock+0x87/0xe0 [ +0.000005] do_syscall_64+0x80/0x170 [ +0.000007] ? _raw_spin_lock+0x87/0xe0 [ +0.000004] ? __pfx__raw_spin_lock+0x10/0x10 [ +0.000003] ? file_close_fd_locked+0x167/0x230 [ +0.000005] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000005] ? do_syscall_64+0x8c/0x170 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filp_close+0x19/0x30 [ +0.000004] ? do_dup2+0x25a/0x4c0 [ +0.000004] ? __x64_sys_dup2+0x6e/0x2e0 [ +0.000002] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? __count_memcg_events+0x113/0x380 [ +0.000005] ? handle_mm_fault+0x136/0x820 [ +0.000005] ? do_user_addr_fault+0x444/0xa80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000002] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46772", "url": "https://ubuntu.com/security/CVE-2024-46772", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46774", "url": "https://ubuntu.com/security/CVE-2024-46774", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46775", "url": "https://ubuntu.com/security/CVE-2024-46775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46778", "url": "https://ubuntu.com/security/CVE-2024-46778", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46779", "url": "https://ubuntu.com/security/CVE-2024-46779", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46792", "url": "https://ubuntu.com/security/CVE-2024-46792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46793", "url": "https://ubuntu.com/security/CVE-2024-46793", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy Component via COMP_DUMMY()\") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the \"dummy\" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 (\"ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards\") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46735", "url": "https://ubuntu.com/security/CVE-2024-46735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46737", "url": "https://ubuntu.com/security/CVE-2024-46737", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46822", "url": "https://ubuntu.com/security/CVE-2024-46822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46713", "url": "https://ubuntu.com/security/CVE-2024-46713", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.", "cve_priority": "medium", "cve_public_date": "2024-09-13 15:15:00 UTC" }, { "cve": "CVE-2024-46739", "url": "https://ubuntu.com/security/CVE-2024-46739", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46740", "url": "https://ubuntu.com/security/CVE-2024-46740", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46741", "url": "https://ubuntu.com/security/CVE-2024-46741", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47663", "url": "https://ubuntu.com/security/CVE-2024-47663", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46832", "url": "https://ubuntu.com/security/CVE-2024-46832", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU. We also skipped saving IRQ number to struct clock_event_device *cd as it's never used by clockevent core, as per comments it's only meant for \"non CPU local devices\".", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47668", "url": "https://ubuntu.com/security/CVE-2024-47668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46744", "url": "https://ubuntu.com/security/CVE-2024-46744", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a \"KMSAN: uninit-value in pick_link\" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46745", "url": "https://ubuntu.com/security/CVE-2024-46745", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46746", "url": "https://ubuntu.com/security/CVE-2024-46746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47664", "url": "https://ubuntu.com/security/CVE-2024-47664", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-47665", "url": "https://ubuntu.com/security/CVE-2024-47665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Definitely condition dma_get_cache_alignment * defined value > 256 during driver initialization is not reason to BUG_ON(). Turn that to graceful error out with -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46749", "url": "https://ubuntu.com/security/CVE-2024-46749", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46750", "url": "https://ubuntu.com/security/CVE-2024-46750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the \"bus\" and \"cxl_bus\" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46752", "url": "https://ubuntu.com/security/CVE-2024-46752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory).", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46840", "url": "https://ubuntu.com/security/CVE-2024-46840", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46755", "url": "https://ubuntu.com/security/CVE-2024-46755", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid=\"somessid\" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk=\"12345678\" } When waiting for the AP to be established, interrupting wpa_supplicant with and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47666", "url": "https://ubuntu.com/security/CVE-2024-47666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46843", "url": "https://ubuntu.com/security/CVE-2024-46843", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause a kernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before adding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host has been defered after MCQ configuration introduced by commit 0cab4023ec7b (\"scsi: ufs: core: Defer adding host to SCSI if MCQ is supported\"). To guarantee that SCSI host is removed only if it has been added, set the scsi_host_added flag to true after adding a SCSI host and check whether it is set or not before removing it.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46760", "url": "https://ubuntu.com/security/CVE-2024-46760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46761", "url": "https://ubuntu.com/security/CVE-2024-46761", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46844", "url": "https://ubuntu.com/security/CVE-2024-46844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46762", "url": "https://ubuntu.com/security/CVE-2024-46762", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. Use SRCU locking to prevent the same, as is done for the KVM implementation for irqfds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46763", "url": "https://ubuntu.com/security/CVE-2024-46763", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46765", "url": "https://ubuntu.com/security/CVE-2024-46765", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46767", "url": "https://ubuntu.com/security/CVE-2024-46767", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46768", "url": "https://ubuntu.com/security/CVE-2024-46768", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can be NULL. Check for such a situation and ignore the event in such a case.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46770", "url": "https://ubuntu.com/security/CVE-2024-46770", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: \t# echo 1 > /sys/class/net//device/reset when reset is in progress try to get coalesce settings using ethtool: \t# ethtool -c BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46771", "url": "https://ubuntu.com/security/CVE-2024-46771", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46773", "url": "https://ubuntu.com/security/CVE-2024-46773", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47667", "url": "https://ubuntu.com/security/CVE-2024-47667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 (SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an inbound PCIe TLP spans more than two internal AXI 128-byte bursts, the bus may corrupt the packet payload and the corrupt data may cause associated applications or the processor to hang. The workaround for Errata #i2037 is to limit the maximum read request size and maximum payload size to 128 bytes. Add workaround for Errata #i2037 here. The errata and workaround is applicable only to AM65x SR 1.0 and later versions of the silicon will have this fixed. [1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46835", "url": "https://ubuntu.com/security/CVE-2024-46835", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46776", "url": "https://ubuntu.com/security/CVE-2024-46776", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46836", "url": "https://ubuntu.com/security/CVE-2024-46836", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46777", "url": "https://ubuntu.com/security/CVE-2024-46777", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46825", "url": "https://ubuntu.com/security/CVE-2024-46825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is normally called with input from the firmware, so it should use IWL_FW_CHECK() instead of WARN_ON().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46827", "url": "https://ubuntu.com/security/CVE-2024-46827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. This issue arises when EHT-PHY capabilities shows support for a bandwidth and MCS-NSS set for that particular bandwidth is filled by zeros and due to this, driver obtains peer_nss as 0 and sending this value to firmware causes crash. Address this issue by implementing a validation step for the peer_nss value before passing it to the firmware. If the value is greater than zero, proceed with forwarding it to the firmware. However, if the value is invalid, reject the association request to prevent potential firmware crashes. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47669", "url": "https://ubuntu.com/security/CVE-2024-47669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 (\"nilfs2: separate wait function from nilfs_segctor_write\") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the \"sc_dirty_files\" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46780", "url": "https://ubuntu.com/security/CVE-2024-46780", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore \"nilfs->ns_sem\". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46781", "url": "https://ubuntu.com/security/CVE-2024-46781", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46828", "url": "https://ubuntu.com/security/CVE-2024-46828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46782", "url": "https://ubuntu.com/security/CVE-2024-46782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46783", "url": "https://ubuntu.com/security/CVE-2024-46783", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46784", "url": "https://ubuntu.com/security/CVE-2024-46784", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46785", "url": "https://ubuntu.com/security/CVE-2024-46785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo \"p:kp submit_bio\" > /sys/kernel/debug/tracing/kprobe_events echo \"\" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46786", "url": "https://ubuntu.com/security/CVE-2024-46786", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46787", "url": "https://ubuntu.com/security/CVE-2024-46787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ pmdp_get_lockless() [reads none pmd] __pte_alloc [no-op] BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow pte_offset_map[_lock]() to fail\"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no \"struct page\" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding \"struct page\" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46838", "url": "https://ubuntu.com/security/CVE-2024-46838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in file mappings without holding the mmap lock, these BUG_ON()s are wrong - get rid of them. We could also remove the preceding \"if (unlikely(...))\" block, but then we could reach pte_offset_map_lock() with transhuge pages not just for file mappings but also for anonymous mappings - which would probably be fine but I think is not necessarily expected.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46845", "url": "https://ubuntu.com/security/CVE-2024-46845", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46788", "url": "https://ubuntu.com/security/CVE-2024-46788", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it \"exit\" before it actually exits. Since kthread ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46846", "url": "https://ubuntu.com/security/CVE-2024-46846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 (\"spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops\") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46847", "url": "https://ubuntu.com/security/CVE-2024-46847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 (\"mm: fix incorrect vbq reference in purge_fragmented_block\") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46791", "url": "https://ubuntu.com/security/CVE-2024-46791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46829", "url": "https://ubuntu.com/security/CVE-2024-46829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the good case it returns with the lock held and in the deadlock case it emits a warning and goes into an endless scheduling loop with the lock held, which triggers the 'scheduling in atomic' warning. Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning and dropping into the schedule for ever loop. [ tglx: Moved unlock before the WARN(), removed the pointless comment, \tmassaged changelog, added Fixes tag ]", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46848", "url": "https://ubuntu.com/security/CVE-2024-46848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46794", "url": "https://ubuntu.com/security/CVE-2024-46794", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46795", "url": "https://ubuntu.com/security/CVE-2024-46795", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46797", "url": "https://ubuntu.com/security/CVE-2024-46797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the \"next\" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's \"next\" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \\ --maximize --oomable --verify --syslog \\ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ? | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ? | Interrupt | (happens before \"nodes[0].lock = B\") | | | ? | spin_lock_irqsave(A) | | | ? | id = qnodesp->count++ | nodes[1].lock = A | | | ? | Tail of MCS queue | | spin_lock_irqsave(A) ? | Head of MCS queue ? | CPU0 is previous tail ? | Spin indefinitely ? (until \"nodes[1].next != NULL\") prev = get_tail_qnode(A, CPU0) | ? prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46830", "url": "https://ubuntu.com/security/CVE-2024-46830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory. Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS. ============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted ----------------------------- include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm] stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? kvm_vcpu_ioctl+0x7d/0x970 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? lock_acquire+0xba/0x2d0 ? find_held_lock+0x2b/0x80 ? do_user_addr_fault+0x40c/0x6f0 ? lock_release+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539 ", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46798", "url": "https://ubuntu.com/security/CVE-2024-46798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46831", "url": "https://ubuntu.com/security/CVE-2024-46831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46747", "url": "https://ubuntu.com/security/CVE-2024-46747", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46725", "url": "https://ubuntu.com/security/CVE-2024-46725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46724", "url": "https://ubuntu.com/security/CVE-2024-46724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46723", "url": "https://ubuntu.com/security/CVE-2024-46723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46743", "url": "https://ubuntu.com/security/CVE-2024-46743", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg=\"func of_irq_parse_* +p\"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46757", "url": "https://ubuntu.com/security/CVE-2024-46757", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775-core) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46759", "url": "https://ubuntu.com/security/CVE-2024-46759", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46758", "url": "https://ubuntu.com/security/CVE-2024-46758", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm95234) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46756", "url": "https://ubuntu.com/security/CVE-2024-46756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46738", "url": "https://ubuntu.com/security/CVE-2024-46738", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove().", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46722", "url": "https://ubuntu.com/security/CVE-2024-46722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-42284", "url": "https://ubuntu.com/security/CVE-2024-42284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44987", "url": "https://ubuntu.com/security/CVE-2024-44987", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" }, { "cve": "CVE-2024-42301", "url": "https://ubuntu.com/security/CVE-2024-42301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44998", "url": "https://ubuntu.com/security/CVE-2024-44998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference \"skb\" after calling vcc->push() because the skb is released.", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" } ], "log": [ "", " * noble/linux-riscv: 6.8.0-50.51.1 -proposed tracker (LP: #2086298)", "", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849)", " - Revert \"mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K\"", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2024.10.28)", "", " [ Ubuntu: 6.8.0-50.51 ]", "", " * noble/linux: 6.8.0-50.51 -proposed tracker (LP: #2086301)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.10.28)", " * Noble update: upstream stable patchset 2024-10-31 (LP: #2086138)", " - device property: Add cleanup.h based fwnode_handle_put() scope based", " cleanup.", " - device property: Introduce device_for_each_child_node_scoped()", " - iio: adc: ad7124: Switch from of specific to fwnode based property handling", " - ksmbd: override fsids for share path check", " - ksmbd: override fsids for smb2_query_info()", " - usbnet: ipheth: remove extraneous rx URB length check", " - usbnet: ipheth: drop RX URBs with no payload", " - usbnet: ipheth: do not stop RX on failing RX callback", " - usbnet: ipheth: fix carrier detection in modes 1 and 4", " - net: ethernet: use ip_hdrlen() instead of bit shift", " - drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero", " - drm: panel-orientation-quirks: Add quirk for Ayn Loki Max", " - net: phy: vitesse: repair vsc73xx autonegotiation", " - powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL", " - wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change", " - net: hns3: use correct release function during uninitialization", " - btrfs: update target inode's ctime on unlink", " - Input: ads7846 - ratelimit the spi_sync error message", " - Input: synaptics - enable SMBus for HP Elitebook 840 G2", " - HID: multitouch: Add support for GT7868Q", " - scripts: kconfig: merge_config: config files: add a trailing newline", " - platform/surface: aggregator_registry: Add Support for Surface Pro 10", " - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3", " - drm/msm/adreno: Fix error return if missing firmware-name", " - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table", " - smb/server: fix return value of smb2_open()", " - NFSv4: Fix clearing of layout segments in layoutreturn", " - NFS: Avoid unnecessary rescanning of the per-server delegation list", " - platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses", " - platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array", " - mptcp: pm: Fix uaf in __timer_delete_sync", " - arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on", " RK3399 Puma", " - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399", " Puma", " - minmax: reduce min/max macro expansion in atomisp driver", " - net: tighten bad gso csum offset check in virtio_net_hdr", " - dm-integrity: fix a race condition when accessing recalc_sector", " - x86/hyperv: fix kexec crash due to VP assist page corruption", " - mm: avoid leaving partial pfn mappings around in error case", " - arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E", " - drm/amd/display: Disable error correction if it's not supported", " - drm/amd/display: Fix FEC_READY write on DP LT", " - eeprom: digsy_mtc: Fix 93xx46 driver probe failure", " - cxl/core: Fix incorrect vendor debug UUID define", " - selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected()", " - hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >=", " 1.2", " - ice: Fix lldp packets dropping after changing the number of channels", " - ice: fix accounting for filters shared by multiple VSIs", " - ice: fix VSI lists confusion when adding VLANs", " - igb: Always call igb_xdp_ring_update_tail() under Tx lock", " - net/mlx5: Update the list of the PCI supported devices", " - net/mlx5e: Add missing link modes to ptys2ethtool_map", " - net/mlx5e: Add missing link mode to ptys2ext_ethtool_map", " - net/mlx5: Explicitly set scheduling element and TSAR type", " - net/mlx5: Add missing masks and QoS bit masks for scheduling elements", " - net/mlx5: Correct TASR typo into TSAR", " - net/mlx5: Verify support for scheduling element and TSAR type", " - net/mlx5: Fix bridge mode operations when there are no VFs", " - fou: fix initialization of grc", " - octeontx2-af: Modify SMQ flush sequence to drop packets", " - net: ftgmac100: Enable TX interrupt to avoid TX timeout", " - selftests: net: csum: Fix checksums for packets with non-zero padding", " - netfilter: nft_socket: fix sk refcount leaks", " - net: dsa: felix: ignore pending status of TAS module when it's disabled", " - net: dpaa: Pad packets to ETH_ZLEN", " - tracing/osnoise: Fix build when timerlat is not enabled", " - spi: nxp-fspi: fix the KASAN report out-of-bounds bug", " - drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl", " - dma-buf: heaps: Fix off-by-one in CMA heap fault handler", " - drm/nouveau/fb: restore init() for ramgp102", " - drm/amdgpu/atomfirmware: Silence UBSAN warning", " - drm/amd/amdgpu: apply command submission parser for JPEG v1", " - spi: geni-qcom: Undo runtime PM changes at driver exit time", " - spi: geni-qcom: Fix incorrect free_irq() sequence", " - drm/i915/guc: prevent a possible int overflow in wq offsets", " - ASoC: codecs: avoid possible garbage value in peb2466_reg_read()", " - cifs: Fix signature miscalculation", " - pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID", " - ASoC: meson: axg-card: fix 'use-after-free'", " - drm/mediatek: Set sensible cursor width/height values to fix crash", " - Input: edt-ft5x06 - add support for FocalTech FT5452 and FT8719", " - Input: edt-ft5x06 - add support for FocalTech FT8201", " - cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug", " - spi: zynqmp-gqspi: Scale timeout by data size", " - drm/xe: use devm instead of drmm for managed bo", " - net: libwx: fix number of Rx and Tx descriptors", " - clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor", " - bcachefs: Fix bch2_extents_match() false positive", " - bcachefs: Don't delete open files in online fsck", " - firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire()", " - riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting", " PLL0 rate to 1.5GHz", " - cxl: Restore XOR'd position bits during address translation", " - netlink: specs: mptcp: fix port endianness", " - drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct()", " - drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct()", " - drm/amd/amdgpu: apply command submission parser for JPEG v2+", " - drm/xe/client: fix deadlock in show_meminfo()", " - drm/xe/client: remove bogus rcu list usage", " - drm/xe/client: add missing bo locking in show_meminfo()", " - tracing/kprobes: Fix build error when find_module() is not available", " - drm/xe/display: fix compat IS_DISPLAY_STEP() range end", " - Upstream stable to v6.6.52, v6.10.11", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849)", " - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE", " - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ALSA: hda/realtek: add patch for internal mic in Lenovo V145", " - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx", " - ksmbd: Unlock on in ksmbd_tcp_set_interfaces()", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - x86/kaslr: Expose and use the end of the physical memory address space", " - nvme-pci: Add sleep quirk for Samsung 990 Evo", " - rust: types: Make Opaque::get const", " - rust: macros: provide correct provenance when constructing THIS_MODULE", " - Revert \"Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE\"", " - Bluetooth: MGMT: Ignore keys being loaded with invalid type", " - mmc: core: apply SD quirks earlier during probe", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - mmc: cqhci: Fix checking of CQHCI_HALT state", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - fuse: fix memory leak in fuse_create_open", " - clk: starfive: jh7110-sys: Add notifier for PLL0 clock", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - tracing/timerlat: Add interface_lock around clearing of kthread in", " stop_kthread()", " - net: mctp-serial: Fix missing escapes on transmit", " - x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported", " - x86/apic: Make x2apic_disable() work correctly", " - drm/i915: Do not attempt to load the GSC multiple times", " - ALSA: control: Apply sanity check of input values for user elements", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - wifi: ath12k: fix uninitialize symbol error on ath12k_peer_assoc_h_he()", " - smack: unix sockets: fix accept()ed socket label", " - bpf, verifier: Correct tail_call_reachable for bpf prog", " - accel/habanalabs/gaudi2: unsecure edma max outstanding register", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - x86/kmsan: Fix hook for unaligned accesses", " - iommu: sun50i: clear bypass register", " - netfilter: nf_conncount: fix wrong variable type", " - fs/ntfs3: One more reason to mark inode bad", " - riscv: kprobes: Use patch_text_nosync() for insn slots", " - media: vivid: fix wrong sizeimage value for mplane", " - leds: spi-byte: Call of_node_put() on error path", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - drm/amd/display: Check HDCP returned status", " - drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts", " - media: vivid: don't set HDMI TX controls if there are no HDMI outputs", " - vfio/spapr: Always clear TCEs before unsetting the window", " - ice: Check all ice_vsi_rebuild() errors in function", " - Input: ili210x - use kvmalloc() to allocate buffer for firmware update", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6", " - can: m_can: Release irq on error in m_can_open", " - can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD", " mode", " - rust: kbuild: fix export of bss symbols", " - cifs: Fix FALLOC_FL_ZERO_RANGE to preflush buffered part of target region", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - regulator: core: Stub devm_regulator_bulk_get_const() if !CONFIG_REGULATOR", " - can: kvaser_pciefd: Skip redundant NULL pointer check in ISR", " - can: kvaser_pciefd: Remove unnecessary comment", " - can: kvaser_pciefd: Rename board_irq to pci_irq", " - can: kvaser_pciefd: Move reset of DMA RX buffers to the end of the ISR", " - can: kvaser_pciefd: Use a single write when releasing RX buffers", " - Bluetooth: qca: If memdump doesn't work, re-enable IBS", " - Bluetooth: hci_sync: Introduce hci_cmd_sync_run/hci_cmd_sync_run_once", " - Bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT", " - igc: Unlock on error in igc_io_resume()", " - ice: do not bring the VSI up, if it was down before the XDP setup", " - usbnet: modern method to get random MAC", " - bpf, net: Fix a potential race in do_sock_getsockopt()", " - bareudp: Fix device stats updates.", " - r8152: fix the firmware doesn't work", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - selftests: net: enable bind tests", " - firmware: cs_dsp: Don't allow writes to read-only controls", " - phy: zynqmp: Take the phy mutex in xlate", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - devres: Initialize an uninitialized struct member", " - virtio_ring: fix KMSAN error for premapped mode", " - crypto: qat - fix unintentional re-enabling of error interrupts", " - ASoc: TAS2781: replace beXX_to_cpup with get_unaligned_beXX for potentially", " broken alignment", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - drm/amdgpu: Set no_hw_access when VF request full GPU fails", " - ext4: fix possible tid_t sequence overflows", " - jbd2: avoid mount failed when commit block is partial submitted", " - dma-mapping: benchmark: Don't starve others when doing the test", " - drm/amdgpu: reject gang submit on reserved VMIDs", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - fs/ntfs3: Check more cases when directory is corrupted", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - cxl/region: Verify target positions using the ordered target list", " - riscv: set trap vector earlier", " - tcp: Don't drop SYN+ACK for simultaneous connect().", " - net: dpaa: avoid on-stack arrays of NR_CPUS elements", " - LoongArch: Use correct API to map cmdline in relocate_kernel()", " - regmap: maple: work around gcc-14.1 false-positive warning", " - vfs: Fix potential circular locking through setxattr() and removexattr()", " - i3c: master: svc: resend target address when get NACK", " - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section", " - usbnet: ipheth: race between ipheth_close and error handling", " - spi: spi-fsl-lpspi: limit PRESCALE bit in TCR register", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - ACPI: CPPC: Add helper to get the highest performance value", " - cpufreq: amd-pstate: Enable amd-pstate preferred core support", " - cpufreq: amd-pstate: fix the highest frequency issue which limits", " performance", " - tcp: process the 3rd ACK with sk_socket for TFO/MPTCP", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - iio: adc: ad7124: fix config comparison", " - iio: adc: ad7606: remove frstdata check for serial mode", " - iio: adc: ad7124: fix chip ID mismatch", " - usb: dwc3: core: update LC timer as per USB Spec V3.2", " - usb: cdns2: Fix controller reset issue", " - usb: dwc3: Avoid waking up gadget during startxfer", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - Revert \"mm: skip CMA pages when they are not available\"", " - workqueue: wq_watchdog_touch is always called with valid CPU", " - workqueue: Improve scalability of workqueue watchdog touch", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - can: mcp251xfd: mcp251xfd_handle_rxif_ring_uinc(): factor out in separate", " function", " - can: mcp251xfd: rx: prepare to workaround broken RX FIFO head index erratum", " - can: mcp251xfd: clarify the meaning of timestamp", " - can: mcp251xfd: rx: add workaround for erratum DS80000789E 6 of mcp2518fd", " - drm/amd: Add gfx12 swizzle mode defs", " - drm/amdgpu: handle gfx12 in amdgpu_display_verify_sizes", " - ata: libata-scsi: Remove redundant sense_buffer memsets", " - ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf", " - crypto: starfive - Align rsa input data to 32-bit", " - crypto: starfive - Fix nent assignment in rsa dec", " - clk: qcom: ipq9574: Update the alpha PLL type for GPLLs", " - powerpc/64e: remove unused IBM HTW code", " - powerpc/64e: split out nohash Book3E 64-bit code", " - powerpc/64e: Define mmu_pte_psize static", " - powerpc/vdso: Don't discard rela sections", " - ASoC: tegra: Fix CBB error during probe()", " - nvme-pci: allocate tagset on reset if necessary", " - ASoc: SOF: topology: Clear SOF link platform name upon unload", " - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode", " - clk: qcom: gcc-sm8550: Don't use parking clk_ops for QUPs", " - clk: qcom: gcc-sm8550: Don't park the USB RCG at registration time", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - gpio: rockchip: fix OF node leak in probe()", " - gpio: modepin: Enable module autoloading", " - riscv: Fix toolchain vector detection", " - riscv: Do not restrict memory size because of linear mapping on nommu", " - membarrier: riscv: Add full memory barrier in switch_mm()", " - [Config] updateconfigs for ARCH_HAS_MEMBARRIER_CALLBACKS", " - x86/mm: Fix PTI for i386 some more", " - btrfs: fix race between direct IO write and fsync when using same fd", " - spi: spi-fsl-lpspi: Fix off-by-one in prescale max", " - ALSA: hda/realtek: Enable Mute Led for HP Victus 15-fb1xxx", " - ALSA: hda/realtek - Fix inactive headset mic jack for ASUS Vivobook 15", " X1504VAP", " - fuse: clear PG_uptodate when using a stolen page", " - riscv: misaligned: remove CONFIG_RISCV_M_MODE specific code", " - parisc: Delay write-protection until mark_rodata_ro() call", " - pinctrl: qcom: x1e80100: Bypass PDC wakeup parent for now", " - maple_tree: remove rcu_read_lock() from mt_validate()", " - Revert \"wifi: ath11k: restore country code during resume\"", " - btrfs: qgroup: don't use extent changeset when not needed", " - btrfs: zoned: handle broken write pointer on zones", " - drm/xe/gsc: Do not attempt to load the GSC multiple times", " - drm/amdgpu: always allocate cleared VRAM for GEM allocations", " - drm/amd/display: Lock DC and exit IPS when changing backlight", " - ALSA: hda/realtek: extend quirks for Clevo V5[46]0", " - cgroup/cpuset: Delay setting of CS_CPU_EXCLUSIVE until valid partition", " - virt: sev-guest: Mark driver struct with __refdata to prevent section", " mismatch", " - media: b2c2: flexcop-usb: fix flexcop_usb_memory_req", " - gve: Add adminq mutex lock", " - wifi: rtw89: wow: prevent to send unexpected H2C during download Firmware", " - drm/amdgpu: add missing error handling in function", " amdgpu_gmc_flush_gpu_tlb_pasid", " - crypto: qat - initialize user_input.lock for rate_limiting", " - locking: Add rwsem_assert_held() and rwsem_assert_held_write()", " - fs: don't copy to userspace under namespace semaphore", " - fs: relax permissions for statmount()", " - seccomp: release task filters when the task exits", " - drm/amdgpu/display: handle gfx12 in amdgpu_dm_plane_format_mod_supported", " - can: m_can: Remove m_can_rx_peripheral indirection", " - can: m_can: Do not cancel timer from within timer", " - mm: Provide a means of invalidation without using launder_folio", " - cifs: Fix copy offload to flush destination region", " - hwmon: ltc2991: fix register bits defines", " - scripts: fix gfp-translate after ___GFP_*_BITS conversion to an enum", " - ptp: ocp: convert serial ports to array", " - ptp: ocp: adjust sysfs entries to expose tty information", " - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset", " - ice: remove ICE_CFG_BUSY locking from AF_XDP code", " - net: xilinx: axienet: Fix race in axienet_stop", " - iommu/vt-d: Remove control over Execute-Requested requests", " - block: don't call bio_uninit from bio_endio", " - tracing/kprobes: Add symbol counting check when module loads", " - perf/x86/intel: Hide Topdown metrics events if the feature is not enumerated", " - PCI: qcom: Override NO_SNOOP attribute for SA8775P RC", " - staging: vchiq_core: Bubble up wait_event_interruptible() return value", " - watchdog: imx7ulp_wdt: keep already running watchdog enabled", " - btrfs: slightly loosen the requirement for qgroup removal", " - drm/amdgpu: add PSP RAS address query command", " - drm/amdgpu: add mutex to protect ras shared memory", " - s390/boot: Do not assume the decompressor range is reserved", " - drm/amdgpu: Fix two reset triggered in a row", " - drm/amdgpu: Add reset_context flag for host FLR", " - drm/amdgpu: Fix amdgpu_device_reset_sriov retry logic", " - fs: only copy to userspace on success in listmount()", " - iio: adc: ad7124: fix DT configuration parsing", " - nvmem: u-boot-env: error if NVMEM device is too small", " - mm: zswap: rename is_zswap_enabled() to zswap_is_enabled()", " - mm/memcontrol: respect zswap.writeback setting from parent cg too", " - path: add cleanup helper", " - fs: simplify error handling", " - fs: relax permissions for listmount()", " - hid: bpf: add BPF_JIT dependency", " - net/mlx5e: SHAMPO, Use KSMs instead of KLMs", " - net/mlx5e: SHAMPO, Fix page leak", " - drm/xe/xe2: Add workaround 14021402888", " - drm/xe/xe2lpg: Extend workaround 14021402888", " - clk: qcom: gcc-x1e80100: Fix USB 0 and 1 PHY GDSC pwrsts flags", " - clk: qcom: gcc-x1e80100: Don't use parking clk_ops for QUPs", " - nouveau: fix the fwsec sb verification register.", " - riscv: Add tracepoints for SBI calls and returns", " - riscv: Improve sbi_ecall() code generation by reordering arguments", " - riscv: Fix RISCV_ALTERNATIVE_EARLY", " - cifs: Fix zero_point init on inode initialisation", " - nvme: rename nvme_sc_to_pr_err to nvme_status_to_pr_err", " - nvme: fix status magic numbers", " - nvme: rename CDR/MORE/DNR to NVME_STATUS_*", " - nvmet: Identify-Active Namespace ID List command should reject invalid nsid", " - drm/i915/display: Add mechanism to use sink model when applying quirk", " - drm/i915/display: Increase Fast Wake Sync length as a quirk", " - LoongArch: Use accessors to page table entries instead of direct dereference", " - Upstream stable to v6.6.51, v6.10.10", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46823", " - kunit/overflow: Fix UB in overflow_allocation_test", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46834", " - ethtool: fail closed if we can't get max channel used in indirection tables", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46751", " - btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46753", " - btrfs: handle errors from btrfs_dec_ref() properly", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46841", " - btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in", " walk_down_proc()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46754", " - bpf: Remove tst_run from lwt_seg6local_prog_ops.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46824", " - iommufd: Require drivers to supply the cache_invalidate_user ops", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46842", " - scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46766", " - ice: move netif_queue_set_napi to rtnl-protected sections", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46772", " - drm/amd/display: Check denominator crb_pipes before used", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46774", " - powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46775", " - drm/amd/display: Validate function returns", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46778", " - drm/amd/display: Check UnboundedRequestEnabled's value", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46779", " - drm/imagination: Free pvr_vm_gpuva after unlink", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46792", " - riscv: misaligned: Restrict user access to kernel memory", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46793", " - ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46735", " - ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46737", " - nvmet-tcp: fix kernel crash if commands allocation fails", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46822", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46713", " - perf/aux: Fix AUX buffer serialization", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46739", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46740", " - binder: fix UAF caused by offsets overwrite", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46741", " - misc: fastrpc: Fix double free of 'buf' in error path", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47663", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46832", " - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47668", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46744", " - Squashfs: sanity check symbolic link size", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46745", " - Input: uinput - reject requests with unreasonable number of slots", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46746", " - HID: amd_sfh: free driver_data after destroying hid device", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47664", " - spi: hisi-kunpeng: Add verification for the max_frequency provided by the", " firmware", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47665", " - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46749", " - Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46750", " - PCI: Add missing bridge lock to pci_bus_lock()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46752", " - btrfs: replace BUG_ON() with error handling at update_ref_for_cow()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46840", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46755", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47666", " - scsi: pm80xx: Set phy->enable_completion only when we wait for it", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46843", " - scsi: ufs: core: Remove SCSI host only if added", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46760", " - wifi: rtw88: usb: schedule rx work after everything is set up", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46761", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46844", " - um: line: always fill *error_out in setup_one_line()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46762", " - xen: privcmd: Fix possible access to a freed kirqfd instance", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46763", " - fou: Fix null-ptr-deref in GRO.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46765", " - ice: protect XDP configuration with a mutex", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46767", " - net: phy: Fix missing of_node_put() for leds", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46768", " - hwmon: (hp-wmi-sensors) Check if WMI event data exists", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46770", " - ice: Add netif_device_attach/detach into PF reset flow", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46771", " - can: bcm: Remove proc entry when dev is unregistered.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46773", " - drm/amd/display: Check denominator pbn_div before used", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47667", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46835", " - drm/amdgpu: Fix smatch static checker warning", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46776", " - drm/amd/display: Run DC_LOG_DC after checking link->link_enc", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46836", " - usb: gadget: aspeed_udc: validate endpoint index for ast udc", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46777", " - udf: Avoid excessive partition lengths", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46825", " - wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46826", " - ELF: fix kernel.randomize_va_space double read", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46827", " - wifi: ath12k: fix firmware crash due to invalid peer nss", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47669", " - nilfs2: fix state management in error path of log writing function", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46780", " - nilfs2: protect references to superblock parameters exposed in sysfs", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46781", " - nilfs2: fix missing cleanup on rollforward recovery error", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46828", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46782", " - ila: call nf_unregister_net_hooks() sooner", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46783", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46784", " - net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46785", " - eventfs: Use list_del_rcu() for SRCU protected list variable", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46786", " - fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46787", " - userfaultfd: fix checks for huge PMDs", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46838", " - userfaultfd: don't BUG_ON() if khugepaged yanks our page table", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46845", " - tracing/timerlat: Only clear timer if a kthread exists", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46788", " - tracing/osnoise: Use a cpumask to know what threads are kthreads", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46846", " - spi: rockchip: Resolve unbalanced runtime PM / system PM handling", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46847", " - mm: vmalloc: ensure vmap_block is initialised before adding to queue", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46791", " - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46829", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46848", " - perf/x86/intel: Limit the period on Haswell", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46794", " - x86/tdx: Fix data leak in mmio_read()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46795", " - ksmbd: unset the binding mark of a reused connection", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46797", " - powerpc/qspinlock: Fix deadlock in MCS queue", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46830", " - KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46798", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46831", " - net: microchip: vcap: Fix use-after-free error in kunit test", " * Navi24 RX6300 light up issue on 6.8 kernel (LP: #2084513)", " - drm/amd/display: Ensure populate uclk in bb construction", " * Noble update: upstream stable patchset 2024-10-18 (LP: #2084941)", " - drm/fb-helper: Don't schedule_work() to flush frame buffer during panic()", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - scsi: ufs: core: Check LSDBS cap when !mcq", " - scsi: ufs: core: Bypass quick recovery if force reset is needed", " - btrfs: tree-checker: validate dref root and objectid", " - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown", " - ALSA: hda/conexant: Mute speakers at suspend / shutdown", " - ALSA: ump: Transmit RPN/NRPN message at each MSB/LSB data reception", " - ALSA: ump: Explicitly reset RPN with Null RPN", " - ALSA: seq: ump: Use the common RPN/bank conversion context", " - ALSA: seq: ump: Transmit RPN/NRPN message at each MSB/LSB data reception", " - ALSA: seq: ump: Explicitly reset RPN with Null RPN", " - net/mlx5: DR, Fix 'stack guard page was hit' error in dr_rule", " - ASoC: amd: yc: Support mic on HP 14-em0002la", " - spi: hisi-kunpeng: Add validation for the minimum value of speed_hz", " - i2c: Fix conditional for substituting empty ACPI functions", " - dma-debug: avoid deadlock between dma debug vs printk and netconsole", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - ASoC: amd: yc: Support mic on Lenovo Thinkpad E14 Gen 6", " - ASoC: codecs: ES8326: button detect issue", " - selftests: mptcp: userspace pm create id 0 subflow", " - selftests: mptcp: dump userspace addrs list", " - selftests: mptcp: userspace pm get addr tests", " - selftests: mptcp: declare event macros in mptcp_lib", " - selftests: mptcp: join: cannot rm sf if closed", " - selftests: mptcp: add explicit test case for remove/readd", " - selftests: mptcp: join: check re-using ID of unused ADD_ADDR", " - selftests: mptcp: join: check re-adding init endp with != id", " - selftests: mptcp: add mptcp_lib_events helper", " - selftests: mptcp: join: validate event numbers", " - selftests: mptcp: join: check re-re-adding ID 0 signal", " - selftests: mptcp: join: test for flush/re-add endpoints", " - selftests: mptcp: join: disable get and dump addr checks", " - selftests: mptcp: join: stop transfer when check is done (part 2.2)", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amd/display: Assign linear_pitch_alignment even for VM", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc", " - drm/amd/pm: fix uninitialized variable warning", " - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr", " - drm/amd/pm: fix warning using uninitialized value of max_vid_step", " - drm/amd/pm: Fix negative array index read", " - drm/amd/pm: fix the Out-of-bounds read warning", " - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr", " - drm/amdgpu: avoid reading vf2pf info size from FB", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check index for aux_rd_interval before using", " - drm/amd/display: Add array index check for hdcp ddc access", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Check msg_id before processing transcation", " - drm/amd/display: Fix Coverity INTERGER_OVERFLOW within", " construct_integrated_info", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amd/display: Spinlock before reading event", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " decide_fallback_link_setting_max_bw_policy", " - drm/amd/display: Ensure index calculation will not overflow", " - drm/amd/display: Skip inactive planes within", " ModeSupportAndSystemConfiguration", " - drm/amd/display: Fix index may exceed array range within", " fpu_update_bw_bounding_box", " - drm/amd/amdgpu: Check tbo resource pointer", " - drm/amd/pm: fix uninitialized variable warnings for vangogh_ppt", " - drm/amdgpu/pm: Fix uninitialized variable warning for smu10", " - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response", " - drm/amdgpu: Fix the uninitialized variable warning", " - drm/amdkfd: Check debug trap enable before write dbg_ev_file", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - wifi: ath12k: initialize 'ret' in ath12k_qmi_load_file_target_mem()", " - wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem()", " - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy", " SOCs", " - drm/amdgpu: Fix the warning division or modulo by zero", " - drm/amdgpu: fix dereference after null check", " - drm/amdgpu: fix the waring dereferencing hive", " - drm/amd/pm: check specific index for aldebaran", " - drm/amd/pm: check specific index for smu13", " - drm/amdgpu: the warning dereferencing obj for nbio_v7_4", " - drm/amd/pm: check negtive return for table entries", " - wifi: rtw89: ser: avoid multiple deinit on same CAM", " - drm/kfd: Correct pinned buffer handling at kfd restore and validate process", " - drm/amdgpu: update type of buf size to u32 for eeprom functions", " - wifi: iwlwifi: remove fw_running op", " - cpufreq: scmi: Avoid overflow of target_freq in fast switch", " - PCI: al: Check IORESOURCE_BUS existence during probe", " - wifi: mac80211: check ieee80211_bss_info_change_notify() against MLD", " - hwspinlock: Introduce hwspin_lock_bust()", " - soc: qcom: smem: Add qcom_smem_bust_hwspin_lock_by_host()", " - RDMA/efa: Properly handle unexpected AQ completions", " - ionic: fix potential irq name truncation", " - pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode.", " - rcu/nocb: Remove buggy bypass lock contention mitigation", " - media: v4l2-cci: Always assign *val", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - fsnotify: clear PARENT_WATCHED flags lazily", " - net: remove NULL-pointer net parameter in ip_metrics_convert", " - drm/amdgu: fix Unintentional integer overflow for mall size", " - regmap: spi: Fix potential off-by-one when calculating reserved size", " - smack: tcp: ipv4, fix incorrect labeling", " - platform/chrome: cros_ec_lpc: MEC access can use an AML mutex", " - net/mlx5e: SHAMPO, Fix incorrect page release", " - drm/meson: plane: Add error handling", " - crypto: stm32/cryp - call finalize with bh disabled", " - gfs2: Revert \"Add quota_change type\"", " - drm/bridge: tc358767: Check if fully initialized before signalling HPD event", " via IRQ", " - dmaengine: altera-msgdma: use irq variant of spin_lock/unlock while invoking", " callbacks", " - dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor", " - hwmon: (k10temp) Check return value of amd_smn_read()", " - wifi: cfg80211: make hash table duplicates more survivable", " - f2fs: fix to do sanity check on blocks for inline_data inode", " - driver: iio: add missing checks on iio_info's callback access", " - block: remove the blk_flush_integrity call in blk_integrity_unregister", " - drm/amdgpu: add skip_hw_access checks for sriov", " - drm/amdgpu: add lock in amdgpu_gart_invalidate_tlb", " - drm/amdgpu: add lock in kfd_process_dequeue_from_device", " - drm/amd/display: Don't use fsleep for PSR exit waits on dmub replay", " - drm/amd/display: added NULL check at start of dc_validate_stream", " - drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX", " - drm/amd/display: use preferred link settings for dp signal only", " - drm/amd/display: Check BIOS images before it is used", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - virtio_net: Fix napi_skb_cache_put warning", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - btrfs: factor out stripe length calculation into a helper", " - btrfs: scrub: update last_physical after scrubbing one stripe", " - btrfs: fix qgroup reserve leaks in cow_file_range", " - virtio-net: check feature before configuring the vq coalescing command", " - drm/amd/display: Handle the case which quad_part is equal 0", " - drm/amdgpu: Handle sg size limit for contiguous allocation", " - drm/amd/pm: fix uninitialized variable warning for smu_v13", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amd/display: Ensure array index tg_inst won't be -1", " - drm/amd/display: handle invalid connector indices", " - drm/amd/display: Increase MAX_LINKS by 2", " - drm/amd/display: Stop amdgpu_dm initialize when link nums greater than", " max_links", " - drm/amd/display: Fix incorrect size calculation for loop", " - drm/amd/display: Use kcalloc() instead of kzalloc()", " - drm/amd/display: Add missing NULL pointer check within", " dpcd_extend_address_range", " - drm/amd/display: Release state memory if amdgpu_dm_create_color_properties", " fail", " - drm/amd/display: Check link_index before accessing dc->links[]", " - drm/amd/display: Add otg_master NULL check within", " resource_log_pipe_topology_update", " - drm/amd/display: Release clck_src memory if clk_src_construct fails", " - drm/amd/display: Fix writeback job lock evasion within dm_crtc_high_irq", " - drm/xe: Demote CCS_MODE info to debug only", " - drm/drm-bridge: Drop conditionals around of_node pointers", " - drm/amdgpu: fix uninitialized variable warning for amdgpu_xgmi", " - drm/amdgpu: fix uninitialized variable warning for jpeg_v4", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_info_ioctl", " - wifi: ath12k: initialize 'ret' in ath12k_dp_rxdma_ring_sel_config_wcn7850()", " - drm/amdgpu/pm: Check input value for power profile setting on smu11, smu13", " and smu14", " - drm/xe: Fix the warning conditions", " - drm/amd/display: Fix pipe addition logic in calc_blocks_to_ungate DCN35", " - wifi: cfg80211: restrict operation during radar detection", " - remoteproc: qcom_q6v5_pas: Add hwspinlock bust on stop", " - tcp: annotate data-races around tw->tw_ts_recent and tw->tw_ts_recent_stamp", " - drm/xe: Don't overmap identity VRAM mapping", " - net: tcp/dccp: prepare for tw_timer un-pinning", " - drm/xe: Ensure caller uses sole domain for xe_force_wake_assert_held", " - drm/xe: Check valid domain is passed in xe_force_wake_ref", " - thermal: trip: Use READ_ONCE() for lockless access to trip properties", " - drm/xe: Add GuC state asserts to deregister_exec_queue", " - drm/amdgpu: fix overflowed constant warning in mmhub_set_clockgating()", " - drm/amd/display: Remove register from DCN35 DMCUB diagnostic collection", " - drm/amd/display: Disable DMCUB timeout for DCN35", " - drm/amd/display: Avoid overflow from uint32_t to uint8_t", " - pinctrl: core: reset gpio_device in loop in pinctrl_pins_show()", " - Upstream stable to v6.6.50, v6.10.9", " * CVE-2024-46747", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " * CVE-2024-46725", " - drm/amdgpu: Fix out-of-bounds write warning", " * CVE-2024-46724", " - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number", " * [SRU] Fix AST DP output after resume (LP: #2083022)", " - drm/ast: Inline drm_simple_encoder_init()", " - drm/ast: Implement atomic enable/disable for encoders", " - drm/ast: Program mode for AST DP in atomic_mode_set", " - drm/ast: Move mode-setting code into mode_set_nofb CRTC helper", " - drm/ast: Handle primary-plane format setup in atomic_update", " - drm/ast: Remove gamma LUT updates from DPMS code", " - drm/ast: Only set VGA SCREEN_DISABLE bit in CRTC code", " - drm/ast: Inline ast_crtc_dpms() into callers", " - drm/ast: Use drm_atomic_helper_commit_tail() helper", " * UBSAN array-index-out-of-bounds reported with N-6.8 on P9 node baltar", " (LP: #2078038)", " - scripts/kernel-doc: reindent", " - compiler_types: add Endianness-dependent __counted_by_{le, be}", " - scsi: aacraid: union aac_init: Replace 1-element array with flexible array", " - scsi: aacraid: struct aac_ciss_phys_luns_resp: Replace 1-element array with", " flexible array", " - scsi: aacraid: Rearrange order of struct aac_srb_unit", " - scsi: aacraid: struct {user, }sgmap{, 64, raw}: Replace 1-element arrays", " with flexible arrays", " * r8169: transmit queue 0 timed out error when re-plugging the Ethernet cable", " (LP: #2084526)", " - r8169: disable ALDPS per default for RTL8125", " * [SRU] cpufreq: intel_pstate: Support Emerald Rapids OOB mode (LP: #2084834)", " - cpufreq: intel_pstate: Support Emerald Rapids OOB mode", " * CVE-2024-46723", " - drm/amdgpu: fix ucode out-of-bounds read warning", " * CVE-2024-46743", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " * CVE-2024-46757", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " * [SRU] Ubuntu 24.04 - GPU cannot be installed with DL380a Gen12 (2P, SRF-SP)", " (LP: #2081079)", " - perf/x86/uncore: Save the unit control address of all units", " - perf/x86/uncore: Support per PMU cpumask", " - perf/x86/uncore: Retrieve the unit ID from the unit control RB tree", " - perf/x86/uncore: Apply the unit control RB tree to MMIO uncore units", " - perf/x86/uncore: Apply the unit control RB tree to MSR uncore units", " - perf/x86/uncore: Apply the unit control RB tree to PCI uncore units", " - perf/x86/uncore: Cleanup unused unit structure", " - perf/x86/intel/uncore: Support HBM and CXL PMON counters", " * Noble update: upstream stable patchset 2024-10-11 (LP: #2084225)", " - ALSA: seq: Skip event type filtering for UMP events", " - LoongArch: Remove the unused dma-direct.h", " - btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()", " - btrfs: run delayed iputs when flushing delalloc", " - smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()", " - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: wfx: repair open network AP mode", " - wifi: mwifiex: duplicate static structs used in driver instances", " - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response", " - mptcp: close subflow when receiving TCP+FIN", " - mptcp: sched: check both backup in retrans", " - mptcp: pm: reuse ID 0 after delete and re-add", " - mptcp: pm: skip connecting to already established sf", " - mptcp: pm: reset MPC endp ID when re-added", " - mptcp: pm: send ACK on an active subflow", " - mptcp: pm: do not remove already closed subflows", " - mptcp: pm: fix ID 0 endp usage after multiple re-creations", " - mptcp: pm: ADD_ADDR 0 is not a new address", " - selftests: mptcp: join: check removing ID 0 endpoint", " - selftests: mptcp: join: no extra msg if no counter", " - selftests: mptcp: join: check re-re-adding ID 0 endp", " - drm/amdgpu/swsmu: always force a state reprogram on init", " - drm/vmwgfx: Fix prime with external buffers", " - usb: typec: fix up incorrectly backported \"usb: typec: tcpm: unregister", " existing source caps before re-registration\"", " - ASoC: amd: acp: fix module autoloading", " - ASoC: SOF: amd: Fix for acp init sequence", " - pinctrl: mediatek: common-v2: Fix broken bias-disable for", " PULL_PU_PD_RSEL_TYPE", " - pinctrl: starfive: jh7110: Correct the level trigger configuration of iev", " register", " - ovl: pass string to ovl_parse_layer()", " - ovl: fix wrong lowerdir number check for parameter Opt_lowerdir", " - ovl: ovl_parse_param_lowerdir: Add missed '\\n' for pr_err", " - mm: Fix missing folio invalidation calls during truncation", " - cifs: Fix FALLOC_FL_PUNCH_HOLE support", " - selinux,smack: don't bypass permissions check in inode_setsecctx hook", " - iommufd: Do not allow creating areas without READ or WRITE", " - phy: fsl-imx8mq-usb: fix tuning parameter name", " - dmaengine: dw-edma: Fix unmasking STOP and ABORT interrupts for HDMA", " - dmaengine: dw-edma: Do not enable watermark interrupts for HDMA", " - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume", " - dmaengine: dw: Add peripheral bus width verification", " - dmaengine: dw: Add memory bus width verification", " - Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test", " - Bluetooth: btnxpuart: Handle FW Download Abort scenario", " - Bluetooth: btnxpuart: Fix random crash seen while removing driver", " - Bluetooth: hci_core: Fix not handling hibernation actions", " - iommu: Do not return 0 from map_pages if it doesn't do anything", " - netfilter: nf_tables: restore IP sanity checks for netdev/egress", " - wifi: iwlwifi: fw: fix wgds rev 3 exact size", " - ethtool: check device is present when getting link settings", " - netfilter: nf_tables_ipv6: consider network offset in netdev/egress", " validation", " - selftests: forwarding: no_forwarding: Down ports on cleanup", " - selftests: forwarding: local_termination: Down ports on cleanup", " - bonding: implement xdo_dev_state_free and call it after deletion", " - bonding: extract the use of real_device into local variable", " - bonding: change ipsec_lock from spin lock to mutex", " - gtp: fix a potential NULL pointer dereference", " - sctp: fix association labeling in the duplicate COOKIE-ECHO case", " - drm/amd/display: avoid using null object of framebuffer", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - soc: qcom: pmic_glink: Actually communicate when remote goes down", " - soc: qcom: pmic_glink: Fix race during initialization", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - scsi: sd: Ignore command SYNCHRONIZE CACHE error if format in progress", " - USB: serial: option: add MeiG Smart SRM825L", " - ARM: dts: imx6dl-yapp43: Increase LED current to match the yapp4 HW design", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function", " - usb: cdnsp: fix for Link TRB with TC", " - ARM: dts: omap3-n900: correct the accelerometer orientation", " - arm64: dts: imx8mp-beacon-kit: Fix Stereo Audio on WM8962", " - arm64: dts: imx93: add nvmem property for fec1", " - arm64: dts: imx93: add nvmem property for eqos", " - arm64: dts: imx93: update default value for snps,clk-csr", " - arm64: dts: freescale: imx93-tqma9352: fix CMA alloc-ranges", " - arm64: dts: freescale: imx93-tqma9352-mba93xxla: fix typo", " - scsi: aacraid: Fix double-free on probe failure", " - apparmor: fix policy_unpack_test on big endian systems", " - mptcp: pr_debug: add missing \\n at the end", " - mptcp: make pm_remove_addrs_and_subflows static", " - mptcp: pm: fix RM_ADDR ID for the initial subflow", " - mptcp: avoid duplicated SUB_CLOSED events", " - drm/i915/dsi: Make Lenovo Yoga Tab 3 X90F DMI match less strict", " - drm/vmwgfx: Prevent unmapping active read buffers", " - drm/vmwgfx: Disable coherent dumb buffers without 3d", " - firmware/sysfb: Set firmware-framebuffer parent device", " - firmware/sysfb: Create firmware device only for enabled PCI devices", " - video/aperture: optionally match the device in sysfb_disable()", " - drm/xe: Prepare display for D3Cold", " - drm/xe/display: Make display suspend/resume work on discrete", " - drm/xe/vm: Simplify if condition", " - drm/xe/exec_queue: Rename xe_exec_queue::compute to xe_exec_queue::lr", " - drm/xe: prevent UAF around preempt fence", " - pinctrl: qcom: x1e80100: Update PDC hwirq map", " - ASoC: SOF: amd: move iram-dram fence register programming sequence", " - nfsd: ensure that nfsd4_fattr_args.context is zeroed out", " - backing-file: convert to using fops->splice_write", " - pinctrl: qcom: x1e80100: Fix special pin offsets", " - afs: Fix post-setattr file edit to do truncation correctly", " - netfs: Fix netfs_release_folio() to say no if folio dirty", " - netfs: Fix missing iterator reset on retry of short read", " - dmaengine: ti: omap-dma: Initialize sglen after allocation", " - pktgen: use cpus_read_lock() in pg_net_init()", " - net_sched: sch_fq: fix incorrect behavior for small weights", " - tcp: fix forever orphan socket caused by tcp_abort", " - drm/xe/hwmon: Fix WRITE_I1 param from u32 to u16", " - usb: typec: fsa4480: Relax CHIP_ID check", " - firmware: qcom: scm: Mark get_wq_ctx() as atomic call", " - usb: gadget: uvc: queue pump work in uvcg_video_enable()", " - usb: dwc3: xilinx: add missing depopulate in probe error path", " - usb: typec: ucsi: Move unregister out of atomic section", " - firmware: microchip: fix incorrect error report of programming:timeout on", " success", " - Upstream stable to v6.6.49, v6.10.8", " * Fix blank screen on external display after reconnecting the USB type-C", " (LP: #2081786) // Noble update: upstream stable patchset 2024-10-11", " (LP: #2084225)", " - drm/i915/display: add intel_display -> drm_device backpointer", " - drm/i915/display: add generic to_intel_display() macro", " - drm/i915/dp_mst: Fix MST state after a sink reset", " * Noble update: upstream stable patchset 2024-10-09 (LP: #2084005)", " - tty: serial: fsl_lpuart: mark last busy before uart_add_one_port", " - tty: atmel_serial: use the correct RTS flag.", " - Revert \"ACPI: EC: Evaluate orphan _REG under EC device\"", " - Revert \"misc: fastrpc: Restrict untrusted app to attach to privileged PD\"", " - Revert \"usb: typec: tcpm: clear pd_event queue in PORT_RESET\"", " - selinux: revert our use of vma_is_initial_heap()", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - char: xillybus: Don't destroy workqueue from work item running on it", " - char: xillybus: Refine workqueue handling", " - char: xillybus: Check USB endpoints when probing device", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - thunderbolt: Mark XDomain as unplugged when router is removed", " - ALSA: hda/tas2781: fix wrong calibrated data order", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - KVM: s390: fix validity interception issue when gisa is switched off", " - riscv: change XIP's kernel_map.size to be size of the entire kernel", " - i2c: tegra: Do not mark ACPI devices as irq safe", " - ACPICA: Add a depth argument to acpi_execute_reg_methods()", " - ACPI: EC: Evaluate _REG outside the EC scope more carefully", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume", " - rtla/osnoise: Prevent NULL dereference in error handling", " - net: mana: Fix RX buf alloc_size alignment and atomic op panic", " - net: mana: Fix doorbell out of order violation and avoid unnecessary", " doorbell rings", " - wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - selinux: add the processing of the failure of avc_add_xperms_decision()", " - mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu", " - btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type", " - btrfs: zoned: properly take lock to read/update block group's zoned", " variables", " - btrfs: tree-checker: add dev extent item checks", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - drm/amdgpu/jpeg2: properly set atomics vmid field", " - drm/amdgpu/jpeg4: properly set atomics vmid field", " - s390/uv: Panic for set and remove shared access UVC errors", " - bpf: Fix updating attached freplace prog in prog_array map", " - igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer", " - igc: Fix qbv_config_change_errors logics", " - igc: Fix reset adapter logics when tx mode change", " - net/mlx5e: Take state lock during tx timeout reporter", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: dsa: vsc73xx: use read_poll_timeout instead delay loop", " - net: dsa: vsc73xx: check busy flag in MDIO operations", " - net: ethernet: mtk_wed: fix use-after-free panic in", " mtk_wed_setup_tc_block_cb()", " - mlxbf_gige: disable RX filters until RX path initialized", " - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size", " - tcp: Update window clamping condition", " - netfilter: allow ipv6 fragments to arrive on different devices", " - netfilter: flowtable: initialise extack before use", " - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks", " - netfilter: nf_tables: Audit log dump reset after the fact", " - netfilter: nf_tables: Introduce nf_tables_getobj_single", " - netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests", " - vsock: fix recursive ->recvmsg calls", " - selftests: net: lib: ignore possible errors", " - selftests: net: lib: kill PIDs before del netns", " - net: hns3: fix wrong use of semaphore up", " - net: hns3: use the user's cfg after reset", " - net: hns3: fix a deadlock problem when config TC during resetting", " - gpio: mlxbf3: Support shutdown() function", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - rust: work around `bindgen` 0.69.0 issue", " - rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT", " - rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT", " - cpu/SMT: Enable SMT only if a core is online", " - powerpc/topology: Check if a core is online", " - arm64: Fix KASAN random tag seed initialization", " - block: Fix lockdep warning in blk_mq_mark_tag_wait", " - wifi: ath12k: Add missing qmi_txn_cancel() calls", " - quota: Remove BUG_ON from dqget()", " - riscv: blacklist assembly symbols for kprobe", " - kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - media: drivers/media/dvb-core: copy user arrays safely", " - wifi: iwlwifi: mvm: avoid garbage iPN", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - gpio: sysfs: extend the critical section for unregistering sysfs devices", " - hrtimer: Select housekeeping CPU during migration", " - virtiofs: forbid newlines in tags", " - accel/habanalabs: fix debugfs files permissions", " - clocksource/drivers/arm_global_timer: Guard against division by zero", " - tick: Move got_idle_tick away from common flags", " - netlink: hold nlk->cb_mutex longer in __netlink_dump_start()", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - memory: stm32-fmc2-ebi: check regmap_read return value", " - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367", " - rxrpc: Don't pick values out of the wire header when setting up security", " - f2fs: stop checkpoint when get a out-of-bounds segment", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item()", " - btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves()", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: push errors up from add_async_extent()", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: send: handle unexpected inode in header process_recorded_refs()", " - btrfs: change BUG_ON to assertion in tree_move_down()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid", " - rtc: nct3018y: fix possible NULL dereference", " - net: hns3: add checking for vf id of mailbox", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time", " - platform/x86: lg-laptop: fix %s null argument warning", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - selftests/bpf: Fix a few tests for GCC related warnings.", " - Revert \"bpf, sockmap: Prevent lock inversion deadlock in map delete elem\"", " - nvme: use srcu for iterating namespace list", " - drm/amdgpu: fix dereference null return value for the function", " amdgpu_vm_pt_parent", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - nvme: fix namespace removal list", " - gtp: pull network headers in gtp_dev_xmit()", " - riscv: entry: always initialize regs->a0 to -ENOSYS", " - smb3: fix lock breakage for cached writes", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - selftests: memfd_secret: don't build memfd_secret test on unsupported arches", " - mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order", " fallback to order 0", " - btrfs: send: allow cloning non-aligned extent if it ends at i_size", " - drm/amd/amdgpu: command submission parser for JPEG", " - platform/surface: aggregator: Fix warning when controller is destroyed in", " probe", " - ALSA: hda/tas2781: Use correct endian conversion", " - Bluetooth: hci_core: Fix LE quote calculation", " - Bluetooth: SMP: Fix assumption of Central always being Initiator", " - net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and", " register injection", " - net: mscc: ocelot: fix QoS class for injected packets with \"ocelot-8021q\"", " - net: mscc: ocelot: serialize access to the injection/extraction groups", " - tc-testing: don't access non-existent variable on exception", " - selftests: udpgro: report error when receive failed", " - tcp/dccp: bypass empty buckets in inet_twsk_purge()", " - tcp/dccp: do not care about families in inet_twsk_purge()", " - tcp: prevent concurrent execution of tcp_sk_exit_batch", " - net: mctp: test: Use correct skb for route input check", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Disable BH in nft_counter_offload_stats().", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - ip6_tunnel: Fix broken GRO", " - bonding: fix bond_ipsec_offload_ok return type", " - bonding: fix null pointer deref in bond_ipsec_offload_ok", " - bonding: fix xfrm real_dev null pointer dereference", " - bonding: fix xfrm state handling when clearing active slave", " - ice: fix page reuse when PAGE_SIZE is over 8k", " - ice: fix ICE_LAST_OFFSET formula", " - ice: fix truesize operations for PAGE_SIZE >= 8192", " - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()", " - igb: cope with large MAX_SKB_FRAGS", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - udp: fix receiving fraglist GSO packets", " - ipv6: fix possible UAF in ip6_finish_output2()", " - ipv6: prevent possible UAF in ip6_xmit()", " - bnxt_en: Fix double DMA unmapping for XDP_REDIRECT", " - netfilter: flowtable: validate vlan header", " - octeontx2-af: Fix CPT AF register offset calculation", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - net: ovs: fix ovs_drop_reasons error", " - drm/msm/dpu: don't play tricks with debug macros", " - drm/msm/dp: fix the max supported bpp logic", " - drm/msm/dpu: split dpu_encoder_wait_for_event into two functions", " - drm/msm/dpu: capture snapshot on the first commit_done timeout", " - drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()", " - drm/msm/dp: reset the link phy params before link training", " - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails", " - drm/msm/dpu: take plane rotation into account for wide planes", " - drm/msm: fix the highest_bank_bit for sc7180", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - scsi: core: Fix the return value of scsi_logical_block_count()", " - ksmbd: the buffer of smb2 query dir response has at least 1 byte", " - drm/amdgpu: Validate TA binary size", " - net: dsa: microchip: fix PTP config failure when using multiple ports", " - MIPS: Loongson64: Set timer mode in cpu-probe", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - Input: i8042 - add forcenorestore quirk to leave controller untouched even", " on s3", " - Input: i8042 - use new forcenorestore quirk to replace old buggy quirk", " combination", " - cxgb4: add forgotten u64 ivlan cast before shift", " - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3", " - mmc: mtk-sd: receive cmd8 data when hs400 tuning fail", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - smb3: fix broken cached reads when posix locks", " - pmdomain: imx: scu-pd: Remove duplicated clocks", " - pmdomain: imx: wait SSAR when i.MX93 power domain on", " - nouveau/firmware: use dma non-coherent allocator", " - mptcp: pm: re-using ID of unused removed ADD_ADDR", " - mptcp: pm: re-using ID of unused removed subflows", " - mptcp: pm: re-using ID of unused flushed subflows", " - mptcp: pm: remove mptcp_pm_remove_subflow()", " - mptcp: pm: only mark 'subflow' endp as available", " - mptcp: pm: only decrement add_addr_accepted for MPJ req", " - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR", " - mptcp: pm: only in-kernel cannot have entries with ID 0", " - mptcp: pm: fullmesh: select the right ID later", " - mptcp: pm: avoid possible UaF when selecting endp", " - selftests: mptcp: join: validate fullmesh endp on 1st sf", " - selftests: mptcp: join: restrict fullmesh endp on 1st sf", " - selftests: mptcp: join: check re-using ID of closed subflow", " - tcp: do not export tcp_twsk_purge()", " - drm/msm/mdss: specify cfg bandwidth for SDM670", " - drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels", " - igc: Fix qbv tx latency by setting gtxoffset", " - ALSA: timer: Relax start tick time check for slave timer elements", " - bpf: Fix a kernel verifier crash in stacksafe()", " - selftests/bpf: Add a test to verify previous stacksafe() fix", " - Revert \"s390/dasd: Establish DMA alignment\"", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - Revert \"serial: 8250_omap: Set the console genpd always on if no console", " suspend\"", " - usb: misc: ljca: Add Lunar Lake ljca GPIO HID to ljca_gpio_hids[]", " - usb: xhci: Check for xhci->interrupters being allocated in", " xhci_mem_clearup()", " - vfs: Don't evict inode under the inode lru traversing context", " - tracing: Return from tracing_buffers_read() if the file has been closed", " - mm: fix endless reclaim on machines with unaccepted memory", " - fs/netfs/fscache_cookie: add missing \"n_accesses\" check", " - mm/numa: no task_numa_fault() call if PMD is changed", " - mm/numa: no task_numa_fault() call if PTE is changed", " - btrfs: check delayed refs when we're checking if a ref exists", " - drm/amd/display: Adjust cursor position", " - drm/amd/display: fix s2idle entry for DCN3.5+", " - drm/amd/display: Enable otg synchronization logic for DCN321", " - drm/amd/display: fix cursor offset on rotation 180", " - netfs: Fault in smaller chunks for non-large folio mappings", " - libfs: fix infinite directory reads for offset dir", " - kallsyms: Avoid weak references for kallsyms symbols", " - kbuild: avoid unneeded kallsyms step 3", " - kbuild: refactor variables in scripts/link-vmlinux.sh", " - kbuild: remove PROVIDE() for kallsyms symbols", " - kallsyms: get rid of code for absolute kallsyms", " - [Config] Remove CONFIG_KALLSYMS_BASE_RELATIVE", " - kallsyms: Do not cleanup .llvm. suffix before sorting symbols", " - bpf: Replace deprecated strncpy with strscpy", " - kallsyms: replace deprecated strncpy with strscpy", " - kallsyms: rework symbol lookup return codes", " - kallsyms: Match symbols exactly with CONFIG_LTO_CLANG", " - drm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()`", " - drm/amd/display: Don't register panel_power_savings on OLED panels", " - wifi: ath12k: use 128 bytes aligned iova in transmit path for WCN7850", " - kbuild: merge temporary vmlinux for BTF and kallsyms", " - kbuild: avoid scripts/kallsyms parsing /dev/null", " - Bluetooth: HCI: Invert LE State quirk to be opt-out rather then opt-in", " - net/mlx5: Fix IPsec RoCE MPV trace call", " - selftests: udpgro: no need to load xdp for gro", " - ice: use internal pf id instead of function number", " - drm/msm/dpu: limit QCM2290 to RGB formats only", " - drm/msm/dpu: relax YUV requirements", " - spi: spi-cadence-quadspi: Fix OSPI NOR failures during system resume", " - drm/xe/display: stop calling domains_driver_remove twice", " - drm/xe: Fix opregion leak", " - drm/xe/mmio: move mmio_fini over to devm", " - drm/xe: reset mmio mappings with devm", " - drm/xe: Fix tile fini sequence", " - drm/xe: Fix missing workqueue destroy in xe_gt_pagefault", " - drm/xe: Free job before xe_exec_queue_put", " - thermal/debugfs: Fix the NULL vs IS_ERR() confusion in debugfs_create_dir()", " - nvme: move stopping keep-alive into nvme_uninit_ctrl()", " - drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1", " - s390/ap: Refine AP bus bindings complete processing", " - net: ngbe: Fix phy mode set to external phy", " - iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace()", " - cgroup/cpuset: fix panic caused by partcmd_update", " - cgroup/cpuset: Clear effective_xcpus on cpus_allowed clearing only if", " cpus.exclusive not set", " - of: Introduce for_each_*_child_of_node_scoped() to automate of_node_put()", " handling", " - thermal: of: Fix OF node leak in thermal_of_trips_init() error path", " - thermal: of: Fix OF node leak in thermal_of_zone_register()", " - thermal: of: Fix OF node leak in of_thermal_zone_find() error paths", " - Upstream stable to v6.6.48, v6.10.7", " * Unable to list directories using CIFS on 6.8 kernel (LP: #2082423) // Noble", " update: upstream stable patchset 2024-10-09 (LP: #2084005)", " - smb: client: ignore unhandled reparse tags", " * CVE-2024-46759", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " * CVE-2024-46758", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " * CVE-2024-46756", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " * CVE-2024-46738", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " * CVE-2024-46722", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " * LXD fan bridge causes blocked tasks (LP: #2064176)", " - SAUCE: fan: release rcu_read_lock on skb discard path", " - SAUCE: fan: fix racy device stat update", " * x86/CPU/AMD: Add models 0x10-0x1f to the Zen5 range (LP: #2081863)", " - x86/CPU/AMD: Add models 0x60-0x6f to the Zen5 range", " * UBSAN: array-index-out-of-bounds in module mt76 (LP: #2081785)", " - wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc", " * The system hangs after resume with thunderbolt monitor(AMD GPU [1002:1900])", " (LP: #2083182)", " - SAUCE: drm/amd/display: Fix system hang while resume with TBT monitor", " * [SRU] GPU: support additional device ids for DG2 driver (LP: #2083701)", " - drm/i915: Add new PCI IDs to DG2 platform in driver", " * [SRU]Intel Arrow Lake IBECC feature backport request for ubuntu 22.04.5 and", " 24.04.1 server (LP: #2077861)", " - EDAC/igen6: Add Intel Arrow Lake-U/H SoCs support", " * Noble update: upstream stable patchset 2024-10-07 (LP: #2083794)", " - ASoC: topology: Clean up route loading", " - ASoC: topology: Fix route memory corruption", " - LoongArch: Define __ARCH_WANT_NEW_STAT in unistd.h", " - sunrpc: don't change ->sv_stats if it doesn't exist", " - nfsd: stop setting ->pg_stats for unused stats", " - sunrpc: pass in the sv_stats struct through svc_create_pooled", " - sunrpc: remove ->pg_stats from svc_program", " - nfsd: remove nfsd_stats, make th_cnt a global counter", " - nfsd: make svc_stat per-network namespace instead of global", " - mm: gup: stop abusing try_grab_folio", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - genirq/cpuhotplug: Skip suspended interrupts when restoring affinity", " - genirq/cpuhotplug: Retry with cpu_online_mask when migration fails", " - quota: Detect loops in quota tree", " - bpf: Replace bpf_lpm_trie_key 0-length array with flexible array", " - fs: Annotate struct file_handle with __counted_by() and use struct_size()", " - mISDN: fix MISDN_TIME_STAMP handling", " - mm/page_table_check: support userfault wr-protect entries", " - bpf, net: Use DEV_STAT_INC()", " - f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC", " - f2fs: fix to cover read extent cache access with lock", " - fou: remove warn in gue_gro_receive on unsupported protocol", " - jfs: fix null ptr deref in dtInsertEntry", " - jfs: Fix shift-out-of-bounds in dbDiscardAG", " - fs/ntfs3: Do copy_to_user out of run_lock", " - ALSA: usb: Fix UBSAN warning in parse_audio_unit()", " - binfmt_flat: Fix corruption when not offsetting data start", " - mm/debug_vm_pgtable: drop RANDOM_ORVALUE trick", " - KVM: arm64: Don't defer TLB invalidation when zapping table entries", " - KVM: arm64: Don't pass a TLBI level hint when zapping table entries", " - drm/amd/display: Defer handling mst up request in resume", " - drm/amd/display: Guard cursor idle reallow by DC debug option", " - drm/amd/display: Separate setting and programming of cursor", " - drm/amd/display: Prevent IPX From Link Detect and Set Mode", " - ASoC: cs35l56: Patch CS35L56_IRQ1_MASK_18 to the default value", " - platform/x86/amd/pmf: Fix to Update HPD Data When ALS is Disabled", " - platform/x86: ideapad-laptop: introduce a generic notification chain", " - platform/x86: ideapad-laptop: move ymc_trigger_ec from lenovo-ymc", " - platform/x86: ideapad-laptop: add a mutex to synchronize VPC commands", " - drm/amd/display: Solve mst monitors blank out problem after resume", " - drm/amdgpu/display: Fix null pointer dereference in", " dc_stream_program_cursor_position", " - Upstream stable to v6.6.47, v6.10.6", " * Noble update: upstream stable patchset 2024-10-04 (LP: #2083656)", " - irqchip/mbigen: Fix mbigen node address layout", " - platform/x86/intel/ifs: Initialize union ifs_status to zero", " - jump_label: Fix the fix, brown paper bags galore", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - x86/mm: Fix pti_clone_entry_text() for i386", " - smb: client: move most of reparse point handling code to common file", " - smb: client: set correct d_type for reparse DFS/DFSR and mount point", " - smb: client: handle lack of FSCTL_GET_REPARSE_POINT support", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: bridge: mcast: wait for previous gc cycles when removing port", " - net: linkwatch: use system_unbound_wq", " - ice: Fix reset handler", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv", " monitor", " - net/smc: add the max value of fallback reason count", " - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()", " - l2tp: fix lockdep splat", " - net: bcmgenet: Properly overlay PHY and MAC Wake-on-LAN capabilities", " - net: fec: Stop PPS on driver remove", " - gpio: prevent potential speculation leaks in gpio_device_get_desc()", " - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu", " - rcutorture: Fix rcu_torture_fwd_cb_cr() data race", " - md: do not delete safemode_timer in mddev_suspend", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - block: change rq_integrity_vec to respect the iterator", " - rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - xen: privcmd: Switch from mutex to spinlock for irqfds", " - wifi: nl80211: disallow setting special AP channel widths", " - wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup()", " - net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - af_unix: Don't retry after unix_state_lock_nested() in", " unix_stream_connect().", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index", " erratum", " - can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of", " mcp2518fd", " - net: stmmac: qcom-ethqos: enable SGMII loopback during DMA reset on", " sa8775p-ride-r3", " - btrfs: do not clear page dirty inside extent_write_locked_range()", " - btrfs: fix invalid mapping of extent xarray state", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver", " unloading", " - drm/amd/display: Add delay to improve LTTPR UHBR interop", " - drm/amdgpu: fix potential resource leak warning", " - drm/amdgpu/pm: Fix the param type of set_power_profile_mode", " - drm/amdgpu/pm: Fix the null pointer dereference for smu7", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules", " - drm/admgpu: fix dereferencing null pointer context", " - drm/amdgpu: Add lock around VF RLCG interface", " - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr", " - media: amphion: Remove lock in s_ctrl callback", " - drm/amd/display: Add null checker before passing variables", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - media: xc2028: avoid use-after-free in load_firmware_cb()", " - ext4: fix uninitialized variable in ext4_inlinedir_to_tree", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - profiling: remove profile=sleep support", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to", " 'raw_spinlock_t'", " - irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq()", " - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime", " - net: drop bad gso csum_start and offset in virtio_net_hdr", " - arm64: Add Neoverse-V2 part", " - arm64: barrier: Restore spec_bar() macro", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Improve handling of stuck alerts", " - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask", " - ASoC: codecs: wsa881x: Correct Soundwire ports mask", " - ASoC: codecs: wsa883x: parse port-mapping information", " - ASoC: codecs: wsa883x: Correct Soundwire ports mask", " - ASoC: codecs: wsa884x: parse port-mapping information", " - ASoC: codecs: wsa884x: Correct Soundwire ports mask", " - ASoC: sti: add missing probe entry for player and reader", " - spi: spidev: Add missing spi_device_id for bh2228fv", " - ASoC: SOF: Remove libraries from topology lookups", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - kprobes: Fix to check symbol prefixes correctly", " - i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume", " - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - ALSA: usb-audio: Re-add ScratchAmp quirk entries", " - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT", " - cifs: cifs_inval_name_dfs_link_error: correct the check for fullpath", " - module: warn about excessively long module waits", " - module: make waiting for a concurrent module loader interruptible", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - drm/amd/display: Skip Recompute DSC Params if no Stream on Link", " - drm/amdgpu: Forward soft recovery errors to userspace", " - drm/i915/gem: Adjust vma offset for framebuffer mmap offset", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - usb: gadget: midi2: Fix the response for FB info with block 0xff", " - usb: gadget: u_serial: Set start_delayed during suspend", " - usb: gadget: u_audio: Check return codes from usb_ep_enable and", " config_ep_by_speed.", " - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES", " - scsi: ufs: core: Do not set link to OFF state while waking up from", " hibernation", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler", " - ntp: Clamp maxerror and esterror to operating range", " - clocksource: Scale the watchdog read retries automatically", " - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()", " - driver core: Fix uevent_show() vs driver detach race", " - tracefs: Fix inode allocation", " - tracefs: Use generic inode RCU for synchronizing freeing", " - ntp: Safeguard against time_constant overflow", " - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()", " - serial: core: check uartclk for zero to avoid divide by zero", " - memcg: protect concurrent access to mem_cgroup_idr", " - parisc: fix unaligned accesses in BPF", " - parisc: fix a possible DMA corruption", " - ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx", " - kcov: properly check for softirq context", " - irqchip/xilinx: Fix shift out of bounds", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - LoongArch: Enable general EFI poweroff method", " - power: supply: qcom_battmgr: return EAGAIN when firmware service is not up", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - padata: Fix possible divide-by-0 panic in padata_mt_helper()", " - smb3: fix setting SecurityFlags when encryption is required", " - eventfs: Don't return NULL in eventfs_create_dir()", " - eventfs: Use SRCU for freeing eventfs_inodes", " - selftests: mm: add s390 to ARCH check", " - btrfs: avoid using fixed char array size for tree names", " - x86/paravirt: Fix incorrect virt spinlock setting on bare metal", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - sched/smt: Introduce sched_smt_present_inc/dec() helper", " - sched/smt: Fix unbalance sched_smt_present dec/inc", " - sched/core: Introduce sched_set_rq_on/offline() helper", " - sched/core: Fix unbalance set_rq_online/offline() in sched_cpu_deactivate()", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/dp_mst: Skip CSN if topology probing is not done yet", " - drm/lima: Mark simple_ondemand governor as softdep", " - drm/mgag200: Set DDC timeout in milliseconds", " - drm/mgag200: Bind I2C lifetime to DRM device", " - drm/radeon: Remove __counted_by from StateArray.states[]", " - mptcp: fully established after ADD_ADDR echo on MPJ", " - mptcp: pm: deny endp with signal + subflow + port", " - block: use the right type for stub rq_integrity_vec()", " - btrfs: fix corruption after buffer fault in during direct IO append write", " - tools headers arm64: Sync arm64's cputype.h with the kernel sources", " - mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio()", " - xfs: fix log recovery buffer allocation for the legacy h_size fixup", " - mptcp: pm: reduce indentation blocks", " - mptcp: pm: don't try to create sf if alloc failed", " - mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set", " - selftests: mptcp: join: ability to invert ADD_ADDR check", " - selftests: mptcp: join: test both signal & subflow", " - Revert \"selftests: mptcp: simult flows: mark 'unbalanced' tests as flaky\"", " - btrfs: fix double inode unlock for direct IO sync writes", " - perf/x86/intel/cstate: Switch to new Intel CPU model defines", " - perf/x86/intel/cstate: Add Arrowlake support", " - perf/x86/intel/cstate: Add Lunarlake support", " - perf/x86/intel/cstate: Add pkg C2 residency counter for Sierra Forest", " - platform/x86: intel-vbtn: Protect ACPI notify handler against recursion", " - perf/x86/amd: Use try_cmpxchg() in events/amd/{un,}core.c", " - perf/x86/intel: Support the PEBS event mask", " - perf/x86: Support counter mask", " - perf/x86: Fix smp_processor_id()-in-preemptible warnings", " - virtio-net: unbreak vq resizing when coalescing is not negotiated", " - net: dsa: microchip: Fix Wake-on-LAN check to not return an error", " - net: dsa: microchip: disable EEE for KSZ8567/KSZ9567/KSZ9896/KSZ9897.", " - regmap: kunit: Use a KUnit action to call regmap_exit()", " - regmap: kunit: Replace a kmalloc/kfree() pair with KUnit-managed alloc", " - regmap: kunit: Fix memory leaks in gen_regmap() and gen_raw_regmap()", " - debugobjects: Annotate racy debug variables", " - nvme: apple: fix device reference counting", " - cpufreq: amd-pstate: Allow users to write 'default' EPP string", " - cpufreq: amd-pstate: auto-load pstate driver by default", " - soc: qcom: icc-bwmon: Allow for interrupts to be shared across instances", " - ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MU", " - ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MJ", " - thermal: intel: hfi: Give HFI instances package scope", " - wifi: ath12k: fix race due to setting ATH12K_FLAG_EXT_IRQ_ENABLED too early", " - wifi: rtlwifi: handle return value of usb init TX/RX", " - wifi: rtw89: pci: fix RX tag race condition resulting in wrong RX length", " - wifi: mac80211: fix NULL dereference at band check in starting tx ba session", " - bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory", " accesses", " - mlxsw: pci: Lock configuration space of upstream bridge during reset", " - btrfs: do not BUG_ON() when freeing tree block after error", " - btrfs: reduce nesting for extent processing at btrfs_lookup_extent_info()", " - btrfs: fix data race when accessing the last_trans field of a root", " - drm/xe/preempt_fence: enlarge the fence critical section", " - drm/amd/display: Handle HPD_IRQ for internal link", " - drm/amd/amdkfd: Fix a resource leak in svm_range_validate_and_map()", " - drm/xe/xe_guc_submit: Fix exec queue stop race condition", " - drm/amd/display: Add null checks for 'stream' and 'plane' before", " dereferencing", " - drm/amd/display: Wake DMCUB before sending a command for replay feature", " - drm/amd/display: reduce ODM slice count to initial new dc state only when", " needed", " - of: Add cleanup.h based auto release via __free(device_node) markings", " - media: i2c: ov5647: replacing of_node_put with __free(device_node)", " - drm/amd/display: Fix null pointer deref in dcn20_resource.c", " - ext4: sanity check for NULL pointer after ext4_force_shutdown", " - mm, slub: do not call do_slab_free for kfence object", " - ASoC: cs35l56: Revert support for dual-ownership of ASP registers", " - drm/atomic: allow no-op FB_ID updates for async flips", " - drm/amd/display: Replace dm_execute_dmub_cmd with", " dc_wake_and_execute_dmub_cmd", " - drm/xe/rtp: Fix off-by-one when processing rules", " - drm/xe: Use dma_fence_chain_free in chain fence unused as a sync", " - drm/xe/hwmon: Fix PL1 disable flow in xe_hwmon_power_max_write", " - drm/xe: Move lrc snapshot capturing to xe_lrc.c", " - drm/xe: Minor cleanup in LRC handling", " - drm/test: fix the gem shmem test to map the sg table.", " - usb: typec: pd: no opencoding of FIELD_GET", " - usb: typec: fsa4480: Check if the chip is really there", " - PM: runtime: Simplify pm_runtime_get_if_active() usage", " - scsi: ufs: core: Fix deadlock during RTC update", " - serial: sc16is7xx: fix invalid FIFO access with special register set", " - tracing: Have format file honor EVENT_FILE_FL_FREED", " - mm: list_lru: fix UAF for memory cgroup", " - net/tcp: Disable TCP-AO static key after RCU grace period", " - Revert \"drm/amd/display: Handle HPD_IRQ for internal link\"", " - idpf: fix memleak in vport interrupt configuration", " - drm/amd/display: Add null check in resource_log_pipe_topology_update", " - Upstream stable to v6.6.46, v6.10.5", " * Noble update: upstream stable patchset 2024-10-02 (LP: #2083488)", " - sysctl: allow change system v ipc sysctls inside ipc namespace", " - sysctl: allow to change limits for posix messages queues", " - sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table)", " - ext4: factor out a common helper to query extent map", " - ext4: check the extent status again before inserting delalloc block", " - leds: trigger: Store brightness set by led_trigger_event()", " - leds: trigger: Call synchronize_rcu() before calling trig->activate()", " - KVM: VMX: Move posted interrupt descriptor out of VMX code", " - fbdev/vesafb: Replace references to global screen_info by local pointer", " - video: Add helpers for decoding screen_info", " - [Config] Update CONFIG_SCREEN_INFO", " - video: Provide screen_info_get_pci_dev() to find screen_info's PCI device", " - firmware/sysfb: Update screen_info for relocated EFI framebuffers", " - mm: page_alloc: control latency caused by zone PCP draining", " - mm/page_alloc: fix pcp->count race between drain_pages_zone() vs", " __rmqueue_pcplist()", " - f2fs: fix to avoid use SSR allocate when do defragment", " - f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid", " - dmaengine: fsl-edma: add address for channel mux register in fsl_edma_chan", " - dmaengine: fsl-edma: add i.MX8ULP edma support", " - perf: imx_perf: fix counter start and config sequence", " - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a", " - MIPS: dts: loongson: Fix liointc IRQ polarity", " - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt", " - ARM: 9406/1: Fix callchain_trace() return value", " - HID: amd_sfh: Move sensor discovery before HID device initialization", " - perf tool: fix dereferencing NULL al->maps", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - drm/vmwgfx: Trigger a modeset when the screen moves", " - sched: act_ct: take care of padding in struct zones_ht_key", " - wifi: cfg80211: fix reporting failed MLO links status with", " cfg80211_connect_done", " - net: phy: realtek: add support for RTL8366S Gigabit PHY", " - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode", " - Bluetooth: btintel: Fail setup on error", " - Bluetooth: hci_sync: Fix suspending with wrong filter policy", " - tcp: annotate data-races around tp->window_clamp", " - tcp: Adjust clamping window for applications specifying SO_RCVBUF", " - net: axienet: start napi before enabling Rx/Tx", " - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in", " rtnl_dellink().", " - i915/perf: Remove code to update PWR_CLK_STATE for gen12", " - ice: respect netif readiness in AF_XDP ZC related ndo's", " - ice: don't busy wait for Rx queue disable in ice_qp_dis()", " - ice: replace synchronize_rcu with synchronize_net", " - ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog", " - drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro", " - net: mvpp2: Don't re-use loop iterator", " - net: phy: micrel: Fix the KSZ9131 MDI-X status issue", " - ALSA: hda: Conditionally use snooping for AMD HDMI", " - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().", " - netfilter: iptables: Fix potential null-ptr-deref in", " ip6table_nat_table_init().", " - net/mlx5: Always drain health in shutdown callback", " - net/mlx5: Fix error handling in irq_pool_request_irq", " - net/mlx5: Lag, don't use the hardcoded value of the first port", " - net/mlx5: Fix missing lock on sync reset reload", " - net/mlx5e: Require mlx5 tc classifier action support for IPsec prio", " capability", " - net/mlx5e: Fix CT entry update leaks of modify header context", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - igc: Fix double reset adapter triggered from a single taprio cmd", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - perf: riscv: Fix selecting counters in legacy mode", " - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()", " - riscv: Fix linear mapping checks for non-contiguous memory regions", " - arm64: jump_label: Ensure patched jump_labels are visible to all CPUs", " - rust: SHADOW_CALL_STACK is incompatible with Rust", " - platform/chrome: cros_ec_proto: Lock device when updating MKBP version", " - HID: wacom: Modify pen IDs", " - btrfs: zoned: fix zone_unusable accounting on making block group read-write", " again", " - btrfs: do not subtract delalloc from avail bytes", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - mptcp: sched: check both directions for backup", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G", " - ALSA: seq: ump: Optimize conversions from SysEx to UMP", " - Revert \"ALSA: firewire-lib: obsolete workqueue for period update\"", " - Revert \"ALSA: firewire-lib: operate for period elapse event in process", " context\"", " - drm/vmwgfx: Fix a deadlock in dma buf fence polling", " - drm/virtio: Fix type of dma-fence context variable", " - drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll()", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY", " - mptcp: fix user-space PM announced address accounting", " - mptcp: distinguish rcv vs sent backup flag in requests", " - mptcp: fix NL PM announced address accounting", " - mptcp: mib: count MPJ with backup flag", " - mptcp: fix bad RCVPRUNED mib accounting", " - mptcp: pm: only set request_bkup flag when sending MP_PRIO", " - mptcp: fix duplicate data handling", " - selftests: mptcp: always close input's FD if opened", " - selftests: mptcp: join: validate backup in MPJ", " - selftests: mptcp: join: check backup support in signal endp", " - mm/huge_memory: mark racy access onhuge_anon_orders_always", " - mm: fix khugepaged activation policy", " - x86/cpu/vfm: Add/initialize x86_vfm field to struct cpuinfo_x86", " - perf/x86/intel: Switch to new Intel CPU model defines", " - perf/x86/intel: Add a distinct name for Granite Rapids", " - drm/gpuvm: fix missing dependency to DRM_EXEC", " - netlink: specs: correct the spec of ethtool", " - ethtool: rss: echo the context number back", " - wifi: cfg80211: correct S1G beacon length calculation", " - ethtool: fix setting key and resetting indir at once", " - ice: modify error handling when setting XSK pool in ndo_bpf", " - ice: toggle netif_carrier when setting up XSK pool", " - ice: improve updating ice_{t,r}x_ring::xsk_pool", " - ice: xsk: fix txq interrupt mapping", " - drm/atomic: Allow userspace to use explicit sync with atomic async flips", " - drm/atomic: Allow userspace to use damage clips with async flips", " - riscv/purgatory: align riscv_kernel_entry", " - perf arch events: Fix duplicate RISC-V SBI firmware event name", " - RISC-V: Enable the IPI before workqueue_online_cpu()", " - ceph: force sending a cap update msg back to MDS for revoke op", " - drm/vmwgfx: Remove unused code", " - drm/vmwgfx: Fix handling of dumb buffers", " - drm/v3d: Prevent out of bounds access in performance query extensions", " - drm/v3d: Fix potential memory leak in the timestamp extension", " - drm/v3d: Fix potential memory leak in the performance extension", " - drm/v3d: Validate passed in drm syncobj handles in the timestamp extension", " - drm/v3d: Validate passed in drm syncobj handles in the performance extension", " - nouveau: set placement to original placement on uvmm validate.", " - wifi: ath12k: fix soft lockup on suspend", " - mptcp: pm: fix backup support in signal endpoints", " - selftests: mptcp: fix error path", " - Upstream stable to v6.6.45, v6.10.4", " * [SRU] Fix AST DP output after resume (LP: #2083022) // Noble update:", " upstream stable patchset 2024-10-02 (LP: #2083488)", " - drm/ast: astdp: Wake up during connector status detection", " - drm/ast: Fix black screen after resume", " * [SRU]Fail to locate the LED of NVME disk behind Intel VMD (LP: #2077287) //", " Noble update: upstream stable patchset 2024-10-02 (LP: #2083488)", " - PCI: pciehp: Retain Power Indicator bits for userspace indicators", " * Noble update: upstream stable patchset 2024-09-30 (LP: #2083196)", " - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC", " - spi: spi-microchip-core: Fix the number of chip selects supported", " - spi: atmel-quadspi: Add missing check for clk_prepare", " - EDAC, i10nm: make skx_common.o a separate module", " - rcu/tasks: Fix stale task snaphot for Tasks Trace", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - ubd: refactor the interrupt handler", " - ubd: untagle discard vs write zeroes not support handling", " - block: initialize integrity buffer to zero before writing it to media", " - x86/kconfig: Add as-instr64 macro to properly evaluate AS_WRUSS", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - block: Call .limit_depth() after .hctx has been set", " - block/mq-deadline: Fix the tag reservation code", " - md: Don't wait for MD_RECOVERY_NEEDED for HOT_REMOVE_DISK ioctl", " - pwm: stm32: Always do lazy disabling", " - nvmet-auth: fix nvmet_auth hash error handling", " - drm/meson: fix canvas release in bind function", " - pwm: atmel-tcb: Fix race condition and convert to guards", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sc8180x: Correct PCIe slave ports", " - arm64: dts: qcom: sc8180x: add power-domain to UFS PHY", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: sm6115: add power-domain to UFS PHY", " - arm64: dts: qcom: sm6350: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8250: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8350: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8450: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996-xiaomi-common: drop excton from the USB PHY", " - arm64: dts: qcom: sdm850-lenovo-yoga-c630: fix IPA firmware path", " - arm64: dts: qcom: msm8998: enable adreno_smmu by default", " - soc: qcom: pmic_glink: Handle the return value of pmic_glink_init", " - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data()", " callers", " - arm64: dts: rockchip: Add sdmmc related properties on rk3308-rock-pi-s", " - arm64: dts: rockchip: Add pinctrl for UART0 to rk3308-rock-pi-s", " - arm64: dts: rockchip: Add mdio and ethernet-phy nodes to rk3308-rock-pi-s", " - arm64: dts: rockchip: Update WIFi/BT related nodes on rk3308-rock-pi-s", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: qcom: sa8775p: mark ethernet devices as DMA-coherent", " - soc: xilinx: rename cpu_number1 to dummy_cpu_number", " - ARM: dts: sunxi: remove duplicated entries in makefile", " - ARM: dts: stm32: Add arm,no-tick-in-suspend to STM32MP15xx STGEN timer", " - arm64: dts: qcom: qrb4210-rb2: make L9A always-on", " - cpufreq: ti-cpufreq: Handle deferred probe with dev_err_probe()", " - OPP: ti: Fix ti_opp_supply_probe wrong return values", " - memory: fsl_ifc: Make FSL_IFC config visible and selectable", " - arm64: dts: ti: k3-am62x: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am625-beagleplay: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62-verdin: Drop McASP AFIFOs", " - arm64: dts: qcom: qdu1000: Add secure qfprom node", " - soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove", " - soc: qcom: pdr: protect locator_addr with the main mutex", " - soc: qcom: pdr: fix parsing of domains lists", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - arm64: dts: amlogic: sm1: fix spdif compatibles", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt8195: Fix GPU thermal zone name for SVS", " - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property", " - arm64: dts: mediatek: mt8192-asurada: Add off-on-delay-us for", " pp3300_mipibrdg", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: mediatek: mt8183-kukui: Fix the value of `dlg,jack-det-rate`", " mismatch", " - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - arm64: dts: amlogic: add power domain to hdmitx", " - arm64: dts: amlogic: setup hdmi system clock", " - arm64: dts: rockchip: Drop invalid mic-in-differential on rk3568-rock-3a", " - arm64: dts: rockchip: Fix mic-in-differential usage on rk3566-roc-pc", " - arm64: dts: rockchip: Fix mic-in-differential usage on rk3568-evb1-v10", " - arm64: dts: renesas: r8a779a0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r8a779f0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r8a779g0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g043u: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g044: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g054: Add missing hypervisor virtual timer IRQ", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - arm64: dts: imx8mp: Fix pgc_mlmix location", " - arm64: dts: imx8mp: add HDMI power-domains", " - arm64: dts: imx8mp: Fix pgc vpu locations", " - x86/xen: Convert comma to semicolon", " - arm64: dts: rockchip: Add missing power-domains for rk356x vop_mmu", " - arm64: dts: rockchip: fix regulator name for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fix usb regulator for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fix pmu_io supply for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: remove unused usb2 nodes for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: disable display subsystem for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fixes PHY reset for Lunzn Fastrhino R68S", " - arm64: dts: qcom: sm6350: Add missing qcom,non-secure-domain property", " - cpufreq/amd-pstate: Fix the scaling_max_freq setting on shared memory CPPC", " systems", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - ARM: spitz: fix GPIO assignment for backlight", " - vmlinux.lds.h: catch .bss..L* sections into BSS\")", " - firmware: turris-mox-rwtm: Do not complete if there are no waiters", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - wifi: ath12k: Correct 6 GHz frequency value in rx status", " - wifi: ath12k: Fix tx completion ring (WBM2SW) setup failure", " - bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer", " - selftests/bpf: Fix prog numbers in test_sockmap", " - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP", " - wifi: ath12k: change DMA direction while mapping reinjected packets", " - wifi: ath12k: fix invalid memory access while processing fragmented packets", " - wifi: ath12k: fix firmware crash during reo reinject", " - wifi: ath11k: fix wrong definition of CE ring's base address", " - wifi: ath12k: fix wrong definition of CE ring's base address", " - tcp: add tcp_done_with_error() helper", " - tcp: fix race in tcp_write_err()", " - tcp: fix races in tcp_v[46]_err()", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - udf: Fix lock ordering in udf_evict_inode()", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors", " - perf/x86: Serialize set_attr_rdpmc()", " - jump_label: Fix concurrency issues in static_key_slow_dec()", " - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - udf: Fix bogus checksum computation in udf_rename()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - libbpf: Checking the btf_type kind when fixing variable offsets", " - xfrm: Fix unregister netdevice hang on hardware offload.", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - wifi: rtw89: 8852b: fix definition of KIP register number", " - wifi: rtl8xxxu: 8188f: Limit TX power index", " - xfrm: Export symbol xfrm_dev_state_delete.", " - bpftool: Mount bpffs when pinmaps path not under the bpffs", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - perf: Fix default aux_watermark calculation", " - perf/x86/intel/cstate: Fix Alderlake/Raptorlake/Meteorlake", " - wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()", " - xfrm: fix netdev reference count imbalance", " - xfrm: call xfrm_dev_policy_delete when kill policy", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - locking/rwsem: Add __always_inline annotation to __down_write_common() and", " inlined callers", " - selftests/bpf: Close fd in error path in drop_on_reuseport", " - selftests/bpf: Null checks for links in bpf_tcp_ca", " - selftests/bpf: Close obj in error path in xdp_adjust_tail", " - selftests/resctrl: Convert perror() to ksft_perror() or ksft_print_msg()", " - selftests/resctrl: Fix closing IMC fds on error and open-code R+W instead of", " loops", " - bpf: annotate BTF show functions with __printf", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - bpf: Eliminate remaining \"make W=1\" warnings in kernel/bpf/btf.o", " - bpf: Fix null pointer dereference in resolve_prog_type() for", " BPF_PROG_TYPE_EXT", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - Bluetooth: hci_bcm4377: Use correct unit for timeouts", " - Bluetooth: btintel: Refactor btintel_set_ppag()", " - Bluetooth: btnxpuart: Add handling for boot-signature timeout errors", " - xdp: fix invalid wait context of page_pool_destroy()", " - net: bridge: mst: Check vlan state for egress decision", " - drm/rockchip: vop2: Fix the port mux of VP2", " - drm/arm/komeda: Fix komeda probe failing if there are no links in the", " secondary pipeline", " - drm/amdkfd: Fix CU Masking for GFX 9.4.3", " - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_dcs_write_seq()", " - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_generic_write_seq()", " - drm/amd/pm: Fix aldebaran pcie speed reporting", " - drm/amdgpu: Fix memory range calculation", " - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit", " - drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1", " - drm/panel: himax-hx8394: Handle errors from mipi_dsi_dcs_set_display_on()", " better", " - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before", " regulators", " - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()", " - drm/bridge: Fixed a DP link training bug", " - drm/bridge: it6505: fix hibernate to resume no display issue", " - media: pci: ivtv: Add check for DMA map result", " - media: imon: Fix race getting ictx->lock", " - media: i2c: Fix imx412 exposure control", " - media: v4l: async: Fix NULL pointer dereference in adding ancillary links", " - s390/mm: Convert make_page_secure to use a folio", " - s390/mm: Convert gmap_make_secure to use a folio", " - s390/uv: Don't call folio_wait_writeback() without a folio reference", " - media: mediatek: vcodec: Handle invalid decoder vsi", " - x86/shstk: Make return uprobe work with shadow stack", " - ipmi: ssif_bmc: prevent integer overflow on 32bit systems", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: i2c: imx219: fix msr access command sequence", " - media: uvcvideo: Disable autosuspend for Insta360 Link", " - media: uvcvideo: Quirk for invalid dev_sof in Logitech C922", " - media: uvcvideo: Add quirk for invalid dev_sof in Logitech C920", " - media: uvcvideo: Override default flags", " - drm: zynqmp_dpsub: Fix an error handling path in zynqmp_dpsub_probe()", " - drm: zynqmp_kms: Fix AUX bus not getting unregistered", " - media: rcar-vin: Fix YUYV8_1X16 handling for CSI-2", " - media: rcar-csi2: Disable runtime_pm in probe error", " - media: rcar-csi2: Cleanup subdevice in remove()", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - drm/mediatek: Add missing plane settings when async update", " - drm/mediatek: Use 8-bit alpha in ETHDR", " - drm/mediatek: Fix XRGB setting error in OVL", " - drm/mediatek: Fix XRGB setting error in Mixer", " - drm/mediatek: Fix destination alpha error in OVL", " - drm/mediatek: Turn off the layers with zero width or height", " - drm/mediatek: Add OVL compatible name for MT8195", " - media: imx-jpeg: Drop initial source change event if capture has been setup", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - drm/msm/dsi: set VIDEO_COMPRESSION_MODE_CTRL_WC", " - drm/msm/dpu: drop validity checks for clear_pending_flush() ctl op", " - perf test: Make test_arm_callgraph_fp.sh more robust", " - perf pmus: Fixes always false when compare duplicates aliases", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - Revert \"leds: led-core: Fix refcount leak in of_led_get()\"", " - drm/mediatek: Remove less-than-zero comparison of an unsigned value", " - ext4: fix infinite loop when replaying fast_commit", " - drm/mediatek/dp: switch to ->edid_read callback", " - drm/mediatek/dp: Fix spurious kfree()", " - media: venus: flush all buffers in output plane streamoff", " - perf intel-pt: Fix aux_watermark calculation for 64-bit size", " - perf intel-pt: Fix exclude_guest setting", " - mfd: rsmu: Split core code into separate module", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - xprtrdma: Fix rpcrdma_reqs_reset()", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server", " - ext4: don't track ranges in fast_commit if inode has inlined data", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - leds: flash: leds-qcom-flash: Test the correct variable in init", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - iio: Fix the sorting functionality in iio_gts_build_avail_time_table", " - PCI: Fix resource double counting on remove & rescan", " - PCI: keystone: Relocate ks_pcie_set/clear_dbi_mode()", " - PCI: keystone: Don't enable BAR 0 for AM654x", " - PCI: keystone: Fix NULL pointer dereference in case of DT error in", " ks_pcie_setup_rc_app_regs()", " - PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()", " - scsi: ufs: mcq: Fix missing argument 'hba' in MCQ_OPR_OFFSET_n", " - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock", " - clk: qcom: camcc-sc7280: Add parent dependency to all camera GDSCs", " - iio: frequency: adrf6780: rm clk provider include", " - coresight: Fix ref leak when of_coresight_parse_endpoint() fails", " - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE", " - ASoc: tas2781: Enable RCA-based playback without DSP firmware download", " - ASoC: cs35l56: Accept values greater than 0 as IRQ numbers", " - usb: typec-mux: nb7vpq904m: unregister typec switch on probe error and", " remove", " - RDMA/cache: Release GID table even if leak is detected", " - clk: qcom: gpucc-sm8350: Park RCG's clk source at XO during disable", " - clk: qcom: gcc-sa8775p: Update the GDSC wait_val fields and flags", " - clk: qcom: gpucc-sa8775p: Remove the CLK_IS_CRITICAL and ALWAYS_ON flags", " - clk: qcom: gpucc-sa8775p: Park RCG's clk source at XO during disable", " - clk: qcom: gpucc-sa8775p: Update wait_val fields for GPU GDSC's", " - interconnect: qcom: qcm2290: Fix mas_snoc_bimc RPM master ID", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/mlx5: Use sq timestamp as QP timestamp when RoCE is disabled", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: qcom: Adjust issues in case of DT error in", " asoc_qcom_lpass_cpu_platform_probe()", " - scsi: lpfc: Fix a possible null pointer dereference", " - hwrng: core - Fix wrong quality calculation at hw rng registration", " - powerpc/prom: Add CPU info to hardware description string later", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - ASoC: amd: Adjust error handling in case of absent codec device", " - PCI: endpoint: Clean up error handling in vpci_scan_bus()", " - PCI: endpoint: Fix error handling in epf_ntb_epc_cleanup()", " - vhost/vsock: always initialize seqpacket_allow", " - net: missing check virtio", " - nvmem: rockchip-otp: set add_legacy_fixed_of_cells config option", " - crypto: qat - extend scope of lock in adf_cfg_add_key_value_param()", " - clk: qcom: kpss-xcc: Return of_clk_add_hw_provider to transfer the error", " - clk: qcom: Park shared RCGs upon registration", " - clk: en7523: fix rate divider for slic and spi clocks", " - MIPS: Octeron: remove source file executable bit", " - PCI: qcom-ep: Disable resources unconditionally during PERST# assert", " - PCI: dwc: Fix index 0 incorrectly being interpreted as a free ATU slot", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - RDMA/hns: Check atomic wr length", " - RDMA/hns: Fix unmatch exception handling when init eq table fails", " - RDMA/hns: Fix missing pagesize and alignment check in FRMR", " - RDMA/hns: Fix shift-out-bounds when max_inline_data is 0", " - RDMA/hns: Fix undifined behavior caused by invalid max_sge", " - RDMA/hns: Fix insufficient extend DB for VFs.", " - iommu/vt-d: Fix identity map bounds in si_domain_init()", " - RDMA/core: Remove NULL check before dev_{put, hold}", " - RDMA: Fix netdev tracker in ib_device_set_netdev", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - netfilter: nf_set_pipapo: fix initial map fill", " - ipvs: properly dereference pe in ip_vs_add_service", " - gve: Fix XDP TX completion handling when counters overflow", " - net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE", " - ipv4: Fix incorrect TOS in route get reply", " - ipv4: Fix incorrect TOS in fibmatch route get reply", " - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports", " - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports", " - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT", " - fs/ntfs3: Fix transform resident to nonresident for compressed files", " - fs/ntfs3: Deny getting attr data block in compressed frame", " - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting", " - fs/ntfs3: Fix getting file type", " - fs/ntfs3: Add missing .dirty_folio in address_space_operations", " - pinctrl: rockchip: update rk3308 iomux routes", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/ntfs3: Replace inode_trylock with inode_lock", " - fs/ntfs3: Correct undo if ntfs_create_inode failed", " - fs/ntfs3: Drop stray '\\' (backslash) in formatting string", " - fs/ntfs3: Fix field-spanning write in INDEX_HDR", " - pinctrl: renesas: r8a779g0: Fix CANFD5 suffix", " - pinctrl: renesas: r8a779g0: Fix FXR_TXEN[AB] suffixes", " - pinctrl: renesas: r8a779g0: Fix (H)SCIF1 suffixes", " - pinctrl: renesas: r8a779g0: Fix (H)SCIF3 suffixes", " - pinctrl: renesas: r8a779g0: Fix IRQ suffixes", " - pinctrl: renesas: r8a779g0: FIX PWM suffixes", " - pinctrl: renesas: r8a779g0: Fix TCLK suffixes", " - pinctrl: renesas: r8a779g0: Fix TPU suffixes", " - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP", " - fs/proc/task_mmu.c: add_to_pagemap: remove useless parameter addr", " - fs/proc/task_mmu: don't indicate PM_MMAP_EXCLUSIVE without PM_PRESENT", " - fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped", " THPs", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - fs/ntfs3: Fix the format of the \"nocase\" mount option", " - fs/ntfs3: Missed error return", " - fs/ntfs3: Keep runs for $MFT::$ATTR_DATA and $MFT::$ATTR_BITMAP", " - powerpc/8xx: fix size given to set_huge_pte_at()", " - s390/dasd: fix error checks in dasd_copy_pair_store()", " - sbitmap: use READ_ONCE to access map->word", " - sbitmap: fix io hung due to race on sbitmap_word::cleared", " - LoongArch: Check TIF_LOAD_WATCH to enable user space watchpoint", " - landlock: Don't lose track of restrictions on cred_transfer", " - hugetlb: force allocating surplus hugepages on mempolicy allowed nodes", " - mm/hugetlb: fix possible recursive locking detected warning", " - mm/mglru: fix div-by-zero in vmpressure_calc_level()", " - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer", " - mm/mglru: fix overshooting shrinker memory", " - x86/efistub: Avoid returning EFI_SUCCESS on error", " - x86/efistub: Revert to heap allocated boot_params for PE entrypoint", " - exfat: fix potential deadlock on __exfat_get_dentry_set", " - dt-bindings: thermal: correct thermal zone node name limit", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - btrfs: fix extent map use-after-free when adding pages to compressed bio", " - kernel: rerun task_work while freezing in get_signal()", " - ipv4: fix source address selection with route leak", " - ipv6: take care of scope when choosing the src addr", " - NFSD: Support write delegations in LAYOUTGET", " - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE", " tasks", " - fuse: verify {g,u}id mount options correctly", " - ata: libata-scsi: Fix offsets for the fixed format sense data", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - ata: libata-scsi: Do not overwrite valid sense data when CK_COND=1", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - ext2: Verify bitmap and itable block numbers before using them", " - io_uring/io-wq: limit retrying worker initialisation", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - scsi: qla2xxx: Fix optrom version displayed in FDMI", " - drm/amd/display: Check for NULL pointer", " - apparmor: use kvfree_sensitive to free data->data", " - cifs: fix potential null pointer use in destroy_workqueue in init_cifs error", " path", " - cifs: fix reconnect with SMB1 UNIX Extensions", " - cifs: mount with \"unix\" mount option for SMB1 incorrectly handled", " - task_work: s/task_work_cancel()/task_work_cancel_func()/", " - task_work: Introduce task_work_cancel() again", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - io_uring: tighten task exit cancellations", " - trace/pid_list: Change gfp flags in pid_list_fill_irq()", " - selftests/landlock: Add cred_transfer test", " - wifi: mwifiex: Fix interface type change", " - wifi: rtw88: usb: Fix disconnection after beacon loss", " - drivers: soc: xilinx: check return status of get_api_version()", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - leds: mt6360: Fix memory leak in mt6360_init_isnk_properties()", " - media: imx-pxp: Fix ERR_PTR dereference in pxp_probe()", " - jbd2: make jbd2_journal_get_max_txn_bufs() internal", " - jbd2: precompute number of transaction descriptor blocks", " - jbd2: avoid infinite transaction commit loop", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()", " - KVM: nVMX: Request immediate exit iff pending nested event needs injection", " - ALSA: ump: Don't update FB name for static blocks", " - ALSA: ump: Force 1 Group for MIDI1 FBs", " - ALSA: usb-audio: Fix microphone sound on HD webcam.", " - ALSA: usb-audio: Move HD Webcam quirk to the right place", " - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - parisc: Fix warning at drivers/pci/msi/msi.h:121", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - PCI: dw-rockchip: Fix initial PERST# GPIO value", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - PCI: loongson: Enable MSI in LS7A Root Complex", " - binder: fix hang of unregistered readers", " - hostfs: fix dev_t handling", " - efi/libstub: Zero initialize heap allocated struct screen_info", " - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value", " - f2fs: fix to force buffered IO on inline_data inode", " - f2fs: fix to don't dirty inode for readonly filesystem", " - f2fs: fix return value of f2fs_convert_inline_inode()", " - f2fs: use meta inode for GC of atomic file", " - f2fs: use meta inode for GC of COW file", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - block: fix deadlock between sd_remove & sd_release", " - mm: fix old/young bit handling in the faulting path", " - decompress_bunzip2: fix rare decompression failure", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - ASoC: SOF: ipc4-topology: Preserve the DMA Link ID for ChainDMA on unprepare", " - ASoC: amd: yc: Support mic on Lenovo Thinkpad E16 Gen 2", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - gve: Fix an edge case for TSO skb validity check", " - ice: Add a per-VF limit on number of FDIR filters", " - devres: Fix devm_krealloc() wasting memory", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - irqdomain: Fixed unbalanced fwnode get and put", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - mm/numa_balancing: teach mpol_to_str about the balancing mode", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: lpfc: Allow DEVICE_RECOVERY mode after RSCN receipt if in PRLI_ISSUE", " state", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Unable to act on RSCN for port online", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Use QP lock to search for bsg", " - scsi: qla2xxx: Reduce fabric scan duplicate code", " - scsi: qla2xxx: Fix flash read failure", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf: Fix event leak upon exit", " - perf: Fix event leak upon exec and file release", " - perf stat: Fix the hard-coded metrics calculation on the hybrid", " - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR", " - perf/x86/intel/ds: Fix non 0 retire latency on Raptorlake", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8", " - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell", " - drm/udl: Remove DRM_CONNECTOR_POLL_HPD", " - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume", " - drm/amdgpu: reset vm state machine after gpu reset(vram lost)", " - drm/amd/amdgpu: Fix uninitialized variable warnings", " - drm/i915/dp: Reset intel_dp->link_trained before retraining the link", " - drm/i915/dp: Don't switch the LTTPR mode on an active link", " - rtc: isl1208: Fix return value of nvmem callbacks", " - rtc: abx80x: Fix return value of nvmem callback on read", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - dm-verity: fix dm_is_verity_target() when dm-verity is builtin", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - remoteproc: stm32_rproc: Fix mailbox interrupts queuing", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init", " - MIPS: dts: loongson: Add ISA node", " - MIPS: ip30: ip30-console: Add missing include", " - MIPS: dts: loongson: Fix GMAC phy node", " - MIPS: Loongson64: env: Hook up Loongsson-2K", " - MIPS: Loongson64: Remove memory node for builtin-dtb", " - MIPS: Loongson64: reset: Prioritise firmware service", " - MIPS: Loongson64: Test register availability before use", " - drm/etnaviv: don't block scheduler when GPU is still active", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - lib/build_OID_registry: don't mention the full path of the script in output", " - video: logo: Drop full path of the input filename in generated file", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - minmax: scsi: fix mis-use of 'clamp()' in sr.c", " - mm/mglru: fix ineffective protection calculation", " - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal", " - f2fs: fix to truncate preallocated blocks in f2fs_file_open()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels", " - phy: cadence-torrent: Check return value on register read", " - phy: zynqmp: Enable reference clock correctly", " - um: time-travel: fix time-travel-start option", " - um: time-travel: fix signal blocking race/hang", " - f2fs: fix start segno of large section", " - watchdog: rzg2l_wdt: Use pm_runtime_resume_and_get()", " - watchdog: rzg2l_wdt: Check return status of pm_runtime_put()", " - f2fs: fix to update user block counts in block_operations()", " - kbuild: avoid build error when single DTB is turned into composite DTB", " - selftests/bpf: fexit_sleep: Fix stack allocation for arm64", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash", " - dma: fix call order in dmam_free_coherent", " - bpf, events: Use prog to emit ksymbol event for main program", " - tools/resolve_btfids: Fix comparison of distinct pointer types warning in", " resolve_btfids", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - ice: Fix recipe read procedure", " - netfilter: nft_set_pipapo_avx2: disable softinterrupts", " - net: stmmac: Correct byte order of perfect_match", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - apparmor: Fix null pointer deref when receiving skb during sock creation", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - lirc: rc_dev_get_from_fd(): fix file leak", " - auxdisplay: ht16k33: Drop reference after LED registration", " - ASoC: SOF: imx8m: Fix DSP control regmap retrieval", " - spi: microchip-core: fix the issues in the isr", " - spi: microchip-core: defer asserting chip select until just before write to", " TX FIFO", " - spi: microchip-core: only disable SPI controller when register value change", " requires it", " - spi: microchip-core: fix init function not setting the master and motorola", " modes", " - spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer", " - nvme-pci: Fix the instructions for disabling power management", " - ASoC: sof: amd: fix for firmware reload failure in Vangogh platform", " - spi: spidev: add correct compatible for Rohm BH2228FV", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - ASoC: TAS2781: Fix tasdev_load_calibrated_data()", " - ceph: fix incorrect kmalloc size of pagevec mempool", " - s390/pci: Refactor arch_setup_msi_irqs()", " - s390/pci: Allow allocation of more than 1 MSI interrupt", " - s390/cpum_cf: Fix endless loop in CF_DIAG event stop", " - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en", " - io_uring: fix io_match_task must_hold", " - nvme-pci: add missing condition check for existence of mapped data", " - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT", " - md/raid0: don't free conf on raid0_run failure", " - md/raid1: don't free conf on raid0_run failure", " - io_uring: Fix probe of disabled operations", " - cgroup/cpuset: Optimize isolated partition only generate_sched_domains()", " calls", " - cgroup/cpuset: Fix remote root partition creation problem", " - x86/syscall: Mark exit[_group] syscall handlers __noreturn", " - perf: arm_pmuv3: Avoid assigning fixed cycle counter with threshold", " - md/raid5: recheck if reshape has finished with device_lock held", " - hwmon: (ltc2991) re-order conditions to fix off by one bug", " - arm64: smp: Fix missing IPI statistics", " - arm64: dts: qcom: sc7280: Remove CTS/RTS configuration", " - ARM: dts: qcom: msm8226-microsoft-common: Enable smbb explicitly", " - OPP: Fix missing cleanup on error in _opp_attach_genpd()", " - arm64: dts: qcom: sc8280xp-*: Remove thermal zone polling delays", " - arm64: dts: ti: k3-am62-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62a-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62p-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62a7: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62p5: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62p5-sk: Fix pinmux for McASP1 TX", " - arm64: dts: qcom: sc7180-trogdor: Disable pwmleds node where unused", " - arm64: dts: mediatek: mt8192: Fix GPU thermal zone name for SVS", " - arm64: dts: mediatek: mt8183-pico6: Fix wake-on-X event node names", " - arm64: dts: renesas: r9a08g045: Add missing hypervisor virtual timer IRQ", " - cpufreq/amd-pstate-ut: Convert nominal_freq to khz during comparisons", " - wifi: mac80211: cancel multi-link reconf work on disconnect", " - wifi: ath11k: refactor setting country code logic", " - wifi: ath11k: restore country code during resume", " - net: ethernet: cortina: Restore TSO support", " - tcp: fix races in tcp_abort()", " - hns3: avoid linking objects into multiple modules", " - sched/core: Move preempt_model_*() helpers from sched.h to preempt.h", " - sched/core: Drop spinlocks on contention iff kernel is preemptible", " - net: dsa: ksz_common: Allow only up to two HSR HW offloaded ports for", " KSZ9477", " - libbpf: Skip base btf sanity checks", " - wifi: mac80211: add ieee80211_tdls_sta_link_id()", " - wifi: iwlwifi: fix iwl_mvm_get_valid_rx_ant()", " - wifi: ath12k: advertise driver capabilities for MBSSID and EMA", " - riscv, bpf: Fix out-of-bounds issue when preparing trampoline image", " - perf/x86/amd/uncore: Avoid PMU registration if counters are unavailable", " - perf/x86/amd/uncore: Fix DF and UMC domain identification", " - NFSD: Fix nfsdcld warning", " - net: page_pool: fix warning code", " - bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG", " - Bluetooth: hci_event: Set QoS encryption from BIGInfo report", " - Bluetooth: hci_core, hci_sync: cleanup struct discovery_state", " - Bluetooth: Fix usage of __hci_cmd_sync_status", " - tcp: Don't access uninit tcp_rsk(req)->ao_keyid in", " tcp_create_openreq_child().", " - drm/panel: ilitek-ili9882t: If prepare fails, disable GPIO before regulators", " - drm/panel: ilitek-ili9882t: Check for errors on the NOP in prepare()", " - drm/amd/display: Move 'struct scaler_data' off stack", " - media: i2c: hi846: Fix V4L2_SUBDEV_FORMAT_TRY get_selection()", " - drm/msm/dpu: fix encoder irq wait skip", " - drm/msm/dpu: drop duplicate drm formats from wb2_formats arrays", " - drm/msm/dp: fix runtime_pm handling in dp_wait_hpd_asserted", " - perf maps: Switch from rbtree to lazily sorted array for addresses", " - perf maps: Fix use after free in __maps__fixup_overlap_and_insert", " - drm/bridge: samsung-dsim: Set P divider based on min/max of fin pll", " - drm/i915/psr: Print Panel Replay status instead of frame lock status", " - drm/mediatek: Set DRM mode configs accordingly", " - drm/msm/dsi: set video mode widebus enable bit when widebus is enabled", " - tools/perf: Fix the string match for \"/tmp/perf-$PID.map\" files in dso__load", " - drm/amd/display: Add null check before access structs", " - nfs: pass explicit offset/count to trace events", " - PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in", " pci_epf_test_core_init()", " - PCI: tegra194: Set EP alignment restriction for inbound ATU", " - riscv: smp: fail booting up smp if inconsistent vlen is detected", " - clk: meson: s4: fix fixed_pll_dco clock", " - clk: meson: s4: fix pwm_j_div parent clock", " - usb: typec-mux: ptn36502: unregister typec switch on probe error and remove", " - mtd: spi-nor: winbond: fix w25q128 regression", " - iommufd/selftest: Fix dirty bitmap tests with u8 bitmaps", " - iommufd/selftest: Fix iommufd_test_dirty() to handle ", "date": "Tue, 26 Nov 2024 13:53:36 +0100" } ], "notes": "linux-headers-6.8.0-51-generic version '6.8.0-51.52.1' (source package linux-riscv version '6.8.0-51.52.1') was added. linux-headers-6.8.0-51-generic version '6.8.0-51.52.1' has the same source package name, linux-riscv, as removed package linux-headers-6.8.0-49-generic. As such we can use the source package version of the removed package, '6.8.0-49.49.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-6.8.0-51-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-49.49.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-51.52.1", "version": "6.8.0-51.52.1" }, "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-49967", "url": "https://ubuntu.com/security/CVE-2024-49967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: no need to continue when the number of entries is 1", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" }, { "cve": "CVE-2024-46823", "url": "https://ubuntu.com/security/CVE-2024-46823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the 'overflow_allocation_test' function scope. However, it is being used as a driver name when calling 'kunit_driver_create' from 'kunit_device_register'. It produces the kernel panic with KASAN enabled. Since this variable is used in one place only, remove it and pass the device name into kunit_device_register directly as an ascii string.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46834", "url": "https://ubuntu.com/security/CVE-2024-46834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 (\"bnxt: fix crashes when reducing ring count with active RSS contexts\") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46751", "url": "https://ubuntu.com/security/CVE-2024-46751", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46753", "url": "https://ubuntu.com/security/CVE-2024-46753", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46841", "url": "https://ubuntu.com/security/CVE-2024-46841", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46754", "url": "https://ubuntu.com/security/CVE-2024-46754", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a (\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46824", "url": "https://ubuntu.com/security/CVE-2024-46824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls with something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9 Hardware name: linux,dummy-virt (DT) pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c) pc : 0x0 lr : iommufd_hwpt_invalidate+0xa4/0x204 sp : ffff800080f3bcc0 x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0 x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000 x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002 x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80 Call trace: 0x0 iommufd_fops_ioctl+0x154/0x274 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xb4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 All existing drivers implement this op for nesting, this is mostly a bisection aid.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46842", "url": "https://ubuntu.com/security/CVE-2024-46842", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46766", "url": "https://ubuntu.com/security/CVE-2024-46766", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: move netif_queue_set_napi to rtnl-protected sections Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnl_lock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point. Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked. Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below. [ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] [ +0.000002] dump_stack_lvl+0x60/0x80 [ +0.000007] print_report+0xce/0x630 [ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000007] ? __virt_addr_valid+0x1c9/0x2c0 [ +0.000005] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000003] kasan_report+0xe9/0x120 [ +0.000004] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000004] netif_queue_set_napi+0x1c2/0x1e0 [ +0.000005] ice_vsi_close+0x161/0x670 [ice] [ +0.000114] ice_dis_vsi+0x22f/0x270 [ice] [ +0.000095] ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] ice_prepare_for_reset+0x299/0x750 [ice] [ +0.000087] pci_dev_save_and_disable+0x82/0xd0 [ +0.000006] pci_reset_function+0x12d/0x230 [ +0.000004] reset_store+0xa0/0x100 [ +0.000006] ? __pfx_reset_store+0x10/0x10 [ +0.000002] ? __pfx_mutex_lock+0x10/0x10 [ +0.000004] ? __check_object_size+0x4c1/0x640 [ +0.000007] kernfs_fop_write_iter+0x30b/0x4a0 [ +0.000006] vfs_write+0x5d6/0xdf0 [ +0.000005] ? fd_install+0x180/0x350 [ +0.000005] ? __pfx_vfs_write+0x10/0xA10 [ +0.000004] ? do_fcntl+0x52c/0xcd0 [ +0.000004] ? kasan_save_track+0x13/0x60 [ +0.000003] ? kasan_save_free_info+0x37/0x60 [ +0.000006] ksys_write+0xfa/0x1d0 [ +0.000003] ? __pfx_ksys_write+0x10/0x10 [ +0.000002] ? __x64_sys_fcntl+0x121/0x180 [ +0.000004] ? _raw_spin_lock+0x87/0xe0 [ +0.000005] do_syscall_64+0x80/0x170 [ +0.000007] ? _raw_spin_lock+0x87/0xe0 [ +0.000004] ? __pfx__raw_spin_lock+0x10/0x10 [ +0.000003] ? file_close_fd_locked+0x167/0x230 [ +0.000005] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000005] ? do_syscall_64+0x8c/0x170 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filp_close+0x19/0x30 [ +0.000004] ? do_dup2+0x25a/0x4c0 [ +0.000004] ? __x64_sys_dup2+0x6e/0x2e0 [ +0.000002] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? __count_memcg_events+0x113/0x380 [ +0.000005] ? handle_mm_fault+0x136/0x820 [ +0.000005] ? do_user_addr_fault+0x444/0xa80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000002] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46772", "url": "https://ubuntu.com/security/CVE-2024-46772", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46774", "url": "https://ubuntu.com/security/CVE-2024-46774", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46775", "url": "https://ubuntu.com/security/CVE-2024-46775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46778", "url": "https://ubuntu.com/security/CVE-2024-46778", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46779", "url": "https://ubuntu.com/security/CVE-2024-46779", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46792", "url": "https://ubuntu.com/security/CVE-2024-46792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46793", "url": "https://ubuntu.com/security/CVE-2024-46793", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy Component via COMP_DUMMY()\") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the \"dummy\" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 (\"ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards\") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46735", "url": "https://ubuntu.com/security/CVE-2024-46735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46737", "url": "https://ubuntu.com/security/CVE-2024-46737", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46822", "url": "https://ubuntu.com/security/CVE-2024-46822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46713", "url": "https://ubuntu.com/security/CVE-2024-46713", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.", "cve_priority": "medium", "cve_public_date": "2024-09-13 15:15:00 UTC" }, { "cve": "CVE-2024-46739", "url": "https://ubuntu.com/security/CVE-2024-46739", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46740", "url": "https://ubuntu.com/security/CVE-2024-46740", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46741", "url": "https://ubuntu.com/security/CVE-2024-46741", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47663", "url": "https://ubuntu.com/security/CVE-2024-47663", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46832", "url": "https://ubuntu.com/security/CVE-2024-46832", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU. We also skipped saving IRQ number to struct clock_event_device *cd as it's never used by clockevent core, as per comments it's only meant for \"non CPU local devices\".", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47668", "url": "https://ubuntu.com/security/CVE-2024-47668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46744", "url": "https://ubuntu.com/security/CVE-2024-46744", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a \"KMSAN: uninit-value in pick_link\" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46745", "url": "https://ubuntu.com/security/CVE-2024-46745", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46746", "url": "https://ubuntu.com/security/CVE-2024-46746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47664", "url": "https://ubuntu.com/security/CVE-2024-47664", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-47665", "url": "https://ubuntu.com/security/CVE-2024-47665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Definitely condition dma_get_cache_alignment * defined value > 256 during driver initialization is not reason to BUG_ON(). Turn that to graceful error out with -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46749", "url": "https://ubuntu.com/security/CVE-2024-46749", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46750", "url": "https://ubuntu.com/security/CVE-2024-46750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the \"bus\" and \"cxl_bus\" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46752", "url": "https://ubuntu.com/security/CVE-2024-46752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory).", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46840", "url": "https://ubuntu.com/security/CVE-2024-46840", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46755", "url": "https://ubuntu.com/security/CVE-2024-46755", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid=\"somessid\" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk=\"12345678\" } When waiting for the AP to be established, interrupting wpa_supplicant with and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47666", "url": "https://ubuntu.com/security/CVE-2024-47666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46843", "url": "https://ubuntu.com/security/CVE-2024-46843", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause a kernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before adding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host has been defered after MCQ configuration introduced by commit 0cab4023ec7b (\"scsi: ufs: core: Defer adding host to SCSI if MCQ is supported\"). To guarantee that SCSI host is removed only if it has been added, set the scsi_host_added flag to true after adding a SCSI host and check whether it is set or not before removing it.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46760", "url": "https://ubuntu.com/security/CVE-2024-46760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46761", "url": "https://ubuntu.com/security/CVE-2024-46761", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46844", "url": "https://ubuntu.com/security/CVE-2024-46844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46762", "url": "https://ubuntu.com/security/CVE-2024-46762", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. Use SRCU locking to prevent the same, as is done for the KVM implementation for irqfds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46763", "url": "https://ubuntu.com/security/CVE-2024-46763", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46765", "url": "https://ubuntu.com/security/CVE-2024-46765", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46767", "url": "https://ubuntu.com/security/CVE-2024-46767", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46768", "url": "https://ubuntu.com/security/CVE-2024-46768", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can be NULL. Check for such a situation and ignore the event in such a case.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46770", "url": "https://ubuntu.com/security/CVE-2024-46770", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: \t# echo 1 > /sys/class/net//device/reset when reset is in progress try to get coalesce settings using ethtool: \t# ethtool -c BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46771", "url": "https://ubuntu.com/security/CVE-2024-46771", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46773", "url": "https://ubuntu.com/security/CVE-2024-46773", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47667", "url": "https://ubuntu.com/security/CVE-2024-47667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 (SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an inbound PCIe TLP spans more than two internal AXI 128-byte bursts, the bus may corrupt the packet payload and the corrupt data may cause associated applications or the processor to hang. The workaround for Errata #i2037 is to limit the maximum read request size and maximum payload size to 128 bytes. Add workaround for Errata #i2037 here. The errata and workaround is applicable only to AM65x SR 1.0 and later versions of the silicon will have this fixed. [1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46835", "url": "https://ubuntu.com/security/CVE-2024-46835", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46776", "url": "https://ubuntu.com/security/CVE-2024-46776", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46836", "url": "https://ubuntu.com/security/CVE-2024-46836", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46777", "url": "https://ubuntu.com/security/CVE-2024-46777", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46825", "url": "https://ubuntu.com/security/CVE-2024-46825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is normally called with input from the firmware, so it should use IWL_FW_CHECK() instead of WARN_ON().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46827", "url": "https://ubuntu.com/security/CVE-2024-46827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. This issue arises when EHT-PHY capabilities shows support for a bandwidth and MCS-NSS set for that particular bandwidth is filled by zeros and due to this, driver obtains peer_nss as 0 and sending this value to firmware causes crash. Address this issue by implementing a validation step for the peer_nss value before passing it to the firmware. If the value is greater than zero, proceed with forwarding it to the firmware. However, if the value is invalid, reject the association request to prevent potential firmware crashes. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47669", "url": "https://ubuntu.com/security/CVE-2024-47669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 (\"nilfs2: separate wait function from nilfs_segctor_write\") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the \"sc_dirty_files\" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46780", "url": "https://ubuntu.com/security/CVE-2024-46780", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore \"nilfs->ns_sem\". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46781", "url": "https://ubuntu.com/security/CVE-2024-46781", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46828", "url": "https://ubuntu.com/security/CVE-2024-46828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46782", "url": "https://ubuntu.com/security/CVE-2024-46782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46783", "url": "https://ubuntu.com/security/CVE-2024-46783", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46784", "url": "https://ubuntu.com/security/CVE-2024-46784", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46785", "url": "https://ubuntu.com/security/CVE-2024-46785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo \"p:kp submit_bio\" > /sys/kernel/debug/tracing/kprobe_events echo \"\" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46786", "url": "https://ubuntu.com/security/CVE-2024-46786", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46787", "url": "https://ubuntu.com/security/CVE-2024-46787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ pmdp_get_lockless() [reads none pmd] __pte_alloc [no-op] BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow pte_offset_map[_lock]() to fail\"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no \"struct page\" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding \"struct page\" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46838", "url": "https://ubuntu.com/security/CVE-2024-46838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in file mappings without holding the mmap lock, these BUG_ON()s are wrong - get rid of them. We could also remove the preceding \"if (unlikely(...))\" block, but then we could reach pte_offset_map_lock() with transhuge pages not just for file mappings but also for anonymous mappings - which would probably be fine but I think is not necessarily expected.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46845", "url": "https://ubuntu.com/security/CVE-2024-46845", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46788", "url": "https://ubuntu.com/security/CVE-2024-46788", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it \"exit\" before it actually exits. Since kthread ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46846", "url": "https://ubuntu.com/security/CVE-2024-46846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 (\"spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops\") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46847", "url": "https://ubuntu.com/security/CVE-2024-46847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 (\"mm: fix incorrect vbq reference in purge_fragmented_block\") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46791", "url": "https://ubuntu.com/security/CVE-2024-46791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46829", "url": "https://ubuntu.com/security/CVE-2024-46829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the good case it returns with the lock held and in the deadlock case it emits a warning and goes into an endless scheduling loop with the lock held, which triggers the 'scheduling in atomic' warning. Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning and dropping into the schedule for ever loop. [ tglx: Moved unlock before the WARN(), removed the pointless comment, \tmassaged changelog, added Fixes tag ]", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46848", "url": "https://ubuntu.com/security/CVE-2024-46848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46794", "url": "https://ubuntu.com/security/CVE-2024-46794", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46795", "url": "https://ubuntu.com/security/CVE-2024-46795", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46797", "url": "https://ubuntu.com/security/CVE-2024-46797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the \"next\" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's \"next\" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \\ --maximize --oomable --verify --syslog \\ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ? | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ? | Interrupt | (happens before \"nodes[0].lock = B\") | | | ? | spin_lock_irqsave(A) | | | ? | id = qnodesp->count++ | nodes[1].lock = A | | | ? | Tail of MCS queue | | spin_lock_irqsave(A) ? | Head of MCS queue ? | CPU0 is previous tail ? | Spin indefinitely ? (until \"nodes[1].next != NULL\") prev = get_tail_qnode(A, CPU0) | ? prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46830", "url": "https://ubuntu.com/security/CVE-2024-46830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory. Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS. ============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted ----------------------------- include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm] stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? kvm_vcpu_ioctl+0x7d/0x970 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? lock_acquire+0xba/0x2d0 ? find_held_lock+0x2b/0x80 ? do_user_addr_fault+0x40c/0x6f0 ? lock_release+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539 ", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46798", "url": "https://ubuntu.com/security/CVE-2024-46798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46831", "url": "https://ubuntu.com/security/CVE-2024-46831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46747", "url": "https://ubuntu.com/security/CVE-2024-46747", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46725", "url": "https://ubuntu.com/security/CVE-2024-46725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46724", "url": "https://ubuntu.com/security/CVE-2024-46724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46723", "url": "https://ubuntu.com/security/CVE-2024-46723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46743", "url": "https://ubuntu.com/security/CVE-2024-46743", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg=\"func of_irq_parse_* +p\"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46757", "url": "https://ubuntu.com/security/CVE-2024-46757", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775-core) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46759", "url": "https://ubuntu.com/security/CVE-2024-46759", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46758", "url": "https://ubuntu.com/security/CVE-2024-46758", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm95234) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46756", "url": "https://ubuntu.com/security/CVE-2024-46756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46738", "url": "https://ubuntu.com/security/CVE-2024-46738", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove().", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46722", "url": "https://ubuntu.com/security/CVE-2024-46722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-42284", "url": "https://ubuntu.com/security/CVE-2024-42284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44987", "url": "https://ubuntu.com/security/CVE-2024-44987", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" }, { "cve": "CVE-2024-42301", "url": "https://ubuntu.com/security/CVE-2024-42301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44998", "url": "https://ubuntu.com/security/CVE-2024-44998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference \"skb\" after calling vcc->push() because the skb is released.", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2090364, 2090369, 1786013, 2087886, 2086298, 2085849, 1786013, 2086301, 1786013, 2086138, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2084513, 2084941, 2083022, 2078038, 2084526, 2084834, 2081079, 2084225, 2081786, 2084225, 2084005, 2082423, 2084005, 2064176, 2081863, 2081785, 2083182, 2083701, 2077861, 2083794, 2083656, 2083488, 2083022, 2083488, 2077287, 2083488, 2083196, 2083196 ], "changes": [ { "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-49967", "url": "https://ubuntu.com/security/CVE-2024-49967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: no need to continue when the number of entries is 1", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" } ], "log": [ "", " * noble/linux-riscv: 6.8.0-51.52.1 -proposed tracker (LP: #2090364)", "", " [ Ubuntu: 6.8.0-51.52 ]", "", " * noble/linux: 6.8.0-51.52 -proposed tracker (LP: #2090369)", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] update variants", " * MGLRU: kswapd uses 100% CPU when MGLRU is enabled and under memory pressure", " (LP: #2087886)", " - mm/mglru: only clear kswapd_failures if reclaimable", " * CVE-2024-50264", " - vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans", " * CVE-2024-53057", " - net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", " * CVE-2024-49967", " - ext4: no need to continue when the number of entries is 1", "" ], "package": "linux-riscv", "version": "6.8.0-51.52.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2090364, 2090369, 1786013, 2087886 ], "author": "Emil Renner Berthing ", "date": "Mon, 09 Dec 2024 16:25:59 +0100" }, { "cves": [ { "cve": "CVE-2024-46823", "url": "https://ubuntu.com/security/CVE-2024-46823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the 'overflow_allocation_test' function scope. However, it is being used as a driver name when calling 'kunit_driver_create' from 'kunit_device_register'. It produces the kernel panic with KASAN enabled. Since this variable is used in one place only, remove it and pass the device name into kunit_device_register directly as an ascii string.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46834", "url": "https://ubuntu.com/security/CVE-2024-46834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 (\"bnxt: fix crashes when reducing ring count with active RSS contexts\") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46751", "url": "https://ubuntu.com/security/CVE-2024-46751", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46753", "url": "https://ubuntu.com/security/CVE-2024-46753", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46841", "url": "https://ubuntu.com/security/CVE-2024-46841", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46754", "url": "https://ubuntu.com/security/CVE-2024-46754", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a (\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46824", "url": "https://ubuntu.com/security/CVE-2024-46824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls with something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9 Hardware name: linux,dummy-virt (DT) pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c) pc : 0x0 lr : iommufd_hwpt_invalidate+0xa4/0x204 sp : ffff800080f3bcc0 x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0 x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000 x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002 x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80 Call trace: 0x0 iommufd_fops_ioctl+0x154/0x274 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xb4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 All existing drivers implement this op for nesting, this is mostly a bisection aid.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46842", "url": "https://ubuntu.com/security/CVE-2024-46842", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46766", "url": "https://ubuntu.com/security/CVE-2024-46766", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: move netif_queue_set_napi to rtnl-protected sections Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnl_lock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point. Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked. Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below. [ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] [ +0.000002] dump_stack_lvl+0x60/0x80 [ +0.000007] print_report+0xce/0x630 [ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000007] ? __virt_addr_valid+0x1c9/0x2c0 [ +0.000005] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000003] kasan_report+0xe9/0x120 [ +0.000004] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000004] netif_queue_set_napi+0x1c2/0x1e0 [ +0.000005] ice_vsi_close+0x161/0x670 [ice] [ +0.000114] ice_dis_vsi+0x22f/0x270 [ice] [ +0.000095] ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] ice_prepare_for_reset+0x299/0x750 [ice] [ +0.000087] pci_dev_save_and_disable+0x82/0xd0 [ +0.000006] pci_reset_function+0x12d/0x230 [ +0.000004] reset_store+0xa0/0x100 [ +0.000006] ? __pfx_reset_store+0x10/0x10 [ +0.000002] ? __pfx_mutex_lock+0x10/0x10 [ +0.000004] ? __check_object_size+0x4c1/0x640 [ +0.000007] kernfs_fop_write_iter+0x30b/0x4a0 [ +0.000006] vfs_write+0x5d6/0xdf0 [ +0.000005] ? fd_install+0x180/0x350 [ +0.000005] ? __pfx_vfs_write+0x10/0xA10 [ +0.000004] ? do_fcntl+0x52c/0xcd0 [ +0.000004] ? kasan_save_track+0x13/0x60 [ +0.000003] ? kasan_save_free_info+0x37/0x60 [ +0.000006] ksys_write+0xfa/0x1d0 [ +0.000003] ? __pfx_ksys_write+0x10/0x10 [ +0.000002] ? __x64_sys_fcntl+0x121/0x180 [ +0.000004] ? _raw_spin_lock+0x87/0xe0 [ +0.000005] do_syscall_64+0x80/0x170 [ +0.000007] ? _raw_spin_lock+0x87/0xe0 [ +0.000004] ? __pfx__raw_spin_lock+0x10/0x10 [ +0.000003] ? file_close_fd_locked+0x167/0x230 [ +0.000005] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000005] ? do_syscall_64+0x8c/0x170 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filp_close+0x19/0x30 [ +0.000004] ? do_dup2+0x25a/0x4c0 [ +0.000004] ? __x64_sys_dup2+0x6e/0x2e0 [ +0.000002] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? __count_memcg_events+0x113/0x380 [ +0.000005] ? handle_mm_fault+0x136/0x820 [ +0.000005] ? do_user_addr_fault+0x444/0xa80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000002] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46772", "url": "https://ubuntu.com/security/CVE-2024-46772", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46774", "url": "https://ubuntu.com/security/CVE-2024-46774", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46775", "url": "https://ubuntu.com/security/CVE-2024-46775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46778", "url": "https://ubuntu.com/security/CVE-2024-46778", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46779", "url": "https://ubuntu.com/security/CVE-2024-46779", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46792", "url": "https://ubuntu.com/security/CVE-2024-46792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46793", "url": "https://ubuntu.com/security/CVE-2024-46793", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy Component via COMP_DUMMY()\") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the \"dummy\" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 (\"ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards\") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46735", "url": "https://ubuntu.com/security/CVE-2024-46735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46737", "url": "https://ubuntu.com/security/CVE-2024-46737", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46822", "url": "https://ubuntu.com/security/CVE-2024-46822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46713", "url": "https://ubuntu.com/security/CVE-2024-46713", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.", "cve_priority": "medium", "cve_public_date": "2024-09-13 15:15:00 UTC" }, { "cve": "CVE-2024-46739", "url": "https://ubuntu.com/security/CVE-2024-46739", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46740", "url": "https://ubuntu.com/security/CVE-2024-46740", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46741", "url": "https://ubuntu.com/security/CVE-2024-46741", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47663", "url": "https://ubuntu.com/security/CVE-2024-47663", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46832", "url": "https://ubuntu.com/security/CVE-2024-46832", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU. We also skipped saving IRQ number to struct clock_event_device *cd as it's never used by clockevent core, as per comments it's only meant for \"non CPU local devices\".", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47668", "url": "https://ubuntu.com/security/CVE-2024-47668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46744", "url": "https://ubuntu.com/security/CVE-2024-46744", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a \"KMSAN: uninit-value in pick_link\" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46745", "url": "https://ubuntu.com/security/CVE-2024-46745", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46746", "url": "https://ubuntu.com/security/CVE-2024-46746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47664", "url": "https://ubuntu.com/security/CVE-2024-47664", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-47665", "url": "https://ubuntu.com/security/CVE-2024-47665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Definitely condition dma_get_cache_alignment * defined value > 256 during driver initialization is not reason to BUG_ON(). Turn that to graceful error out with -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46749", "url": "https://ubuntu.com/security/CVE-2024-46749", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46750", "url": "https://ubuntu.com/security/CVE-2024-46750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the \"bus\" and \"cxl_bus\" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46752", "url": "https://ubuntu.com/security/CVE-2024-46752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory).", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46840", "url": "https://ubuntu.com/security/CVE-2024-46840", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46755", "url": "https://ubuntu.com/security/CVE-2024-46755", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid=\"somessid\" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk=\"12345678\" } When waiting for the AP to be established, interrupting wpa_supplicant with and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47666", "url": "https://ubuntu.com/security/CVE-2024-47666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46843", "url": "https://ubuntu.com/security/CVE-2024-46843", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause a kernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before adding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host has been defered after MCQ configuration introduced by commit 0cab4023ec7b (\"scsi: ufs: core: Defer adding host to SCSI if MCQ is supported\"). To guarantee that SCSI host is removed only if it has been added, set the scsi_host_added flag to true after adding a SCSI host and check whether it is set or not before removing it.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46760", "url": "https://ubuntu.com/security/CVE-2024-46760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46761", "url": "https://ubuntu.com/security/CVE-2024-46761", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46844", "url": "https://ubuntu.com/security/CVE-2024-46844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46762", "url": "https://ubuntu.com/security/CVE-2024-46762", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. Use SRCU locking to prevent the same, as is done for the KVM implementation for irqfds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46763", "url": "https://ubuntu.com/security/CVE-2024-46763", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46765", "url": "https://ubuntu.com/security/CVE-2024-46765", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46767", "url": "https://ubuntu.com/security/CVE-2024-46767", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46768", "url": "https://ubuntu.com/security/CVE-2024-46768", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can be NULL. Check for such a situation and ignore the event in such a case.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46770", "url": "https://ubuntu.com/security/CVE-2024-46770", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: \t# echo 1 > /sys/class/net//device/reset when reset is in progress try to get coalesce settings using ethtool: \t# ethtool -c BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46771", "url": "https://ubuntu.com/security/CVE-2024-46771", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46773", "url": "https://ubuntu.com/security/CVE-2024-46773", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47667", "url": "https://ubuntu.com/security/CVE-2024-47667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 (SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an inbound PCIe TLP spans more than two internal AXI 128-byte bursts, the bus may corrupt the packet payload and the corrupt data may cause associated applications or the processor to hang. The workaround for Errata #i2037 is to limit the maximum read request size and maximum payload size to 128 bytes. Add workaround for Errata #i2037 here. The errata and workaround is applicable only to AM65x SR 1.0 and later versions of the silicon will have this fixed. [1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46835", "url": "https://ubuntu.com/security/CVE-2024-46835", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46776", "url": "https://ubuntu.com/security/CVE-2024-46776", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46836", "url": "https://ubuntu.com/security/CVE-2024-46836", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46777", "url": "https://ubuntu.com/security/CVE-2024-46777", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46825", "url": "https://ubuntu.com/security/CVE-2024-46825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is normally called with input from the firmware, so it should use IWL_FW_CHECK() instead of WARN_ON().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46827", "url": "https://ubuntu.com/security/CVE-2024-46827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. This issue arises when EHT-PHY capabilities shows support for a bandwidth and MCS-NSS set for that particular bandwidth is filled by zeros and due to this, driver obtains peer_nss as 0 and sending this value to firmware causes crash. Address this issue by implementing a validation step for the peer_nss value before passing it to the firmware. If the value is greater than zero, proceed with forwarding it to the firmware. However, if the value is invalid, reject the association request to prevent potential firmware crashes. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47669", "url": "https://ubuntu.com/security/CVE-2024-47669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 (\"nilfs2: separate wait function from nilfs_segctor_write\") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the \"sc_dirty_files\" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46780", "url": "https://ubuntu.com/security/CVE-2024-46780", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore \"nilfs->ns_sem\". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46781", "url": "https://ubuntu.com/security/CVE-2024-46781", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46828", "url": "https://ubuntu.com/security/CVE-2024-46828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46782", "url": "https://ubuntu.com/security/CVE-2024-46782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46783", "url": "https://ubuntu.com/security/CVE-2024-46783", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46784", "url": "https://ubuntu.com/security/CVE-2024-46784", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46785", "url": "https://ubuntu.com/security/CVE-2024-46785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo \"p:kp submit_bio\" > /sys/kernel/debug/tracing/kprobe_events echo \"\" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46786", "url": "https://ubuntu.com/security/CVE-2024-46786", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46787", "url": "https://ubuntu.com/security/CVE-2024-46787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ pmdp_get_lockless() [reads none pmd] __pte_alloc [no-op] BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow pte_offset_map[_lock]() to fail\"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no \"struct page\" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding \"struct page\" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46838", "url": "https://ubuntu.com/security/CVE-2024-46838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in file mappings without holding the mmap lock, these BUG_ON()s are wrong - get rid of them. We could also remove the preceding \"if (unlikely(...))\" block, but then we could reach pte_offset_map_lock() with transhuge pages not just for file mappings but also for anonymous mappings - which would probably be fine but I think is not necessarily expected.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46845", "url": "https://ubuntu.com/security/CVE-2024-46845", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46788", "url": "https://ubuntu.com/security/CVE-2024-46788", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it \"exit\" before it actually exits. Since kthread ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46846", "url": "https://ubuntu.com/security/CVE-2024-46846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 (\"spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops\") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46847", "url": "https://ubuntu.com/security/CVE-2024-46847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 (\"mm: fix incorrect vbq reference in purge_fragmented_block\") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46791", "url": "https://ubuntu.com/security/CVE-2024-46791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46829", "url": "https://ubuntu.com/security/CVE-2024-46829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the good case it returns with the lock held and in the deadlock case it emits a warning and goes into an endless scheduling loop with the lock held, which triggers the 'scheduling in atomic' warning. Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning and dropping into the schedule for ever loop. [ tglx: Moved unlock before the WARN(), removed the pointless comment, \tmassaged changelog, added Fixes tag ]", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46848", "url": "https://ubuntu.com/security/CVE-2024-46848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46794", "url": "https://ubuntu.com/security/CVE-2024-46794", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46795", "url": "https://ubuntu.com/security/CVE-2024-46795", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46797", "url": "https://ubuntu.com/security/CVE-2024-46797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the \"next\" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's \"next\" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \\ --maximize --oomable --verify --syslog \\ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ? | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ? | Interrupt | (happens before \"nodes[0].lock = B\") | | | ? | spin_lock_irqsave(A) | | | ? | id = qnodesp->count++ | nodes[1].lock = A | | | ? | Tail of MCS queue | | spin_lock_irqsave(A) ? | Head of MCS queue ? | CPU0 is previous tail ? | Spin indefinitely ? (until \"nodes[1].next != NULL\") prev = get_tail_qnode(A, CPU0) | ? prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46830", "url": "https://ubuntu.com/security/CVE-2024-46830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory. Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS. ============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted ----------------------------- include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm] stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? kvm_vcpu_ioctl+0x7d/0x970 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? lock_acquire+0xba/0x2d0 ? find_held_lock+0x2b/0x80 ? do_user_addr_fault+0x40c/0x6f0 ? lock_release+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539 ", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46798", "url": "https://ubuntu.com/security/CVE-2024-46798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46831", "url": "https://ubuntu.com/security/CVE-2024-46831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46747", "url": "https://ubuntu.com/security/CVE-2024-46747", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46725", "url": "https://ubuntu.com/security/CVE-2024-46725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46724", "url": "https://ubuntu.com/security/CVE-2024-46724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46723", "url": "https://ubuntu.com/security/CVE-2024-46723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46743", "url": "https://ubuntu.com/security/CVE-2024-46743", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg=\"func of_irq_parse_* +p\"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46757", "url": "https://ubuntu.com/security/CVE-2024-46757", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775-core) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46759", "url": "https://ubuntu.com/security/CVE-2024-46759", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46758", "url": "https://ubuntu.com/security/CVE-2024-46758", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm95234) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46756", "url": "https://ubuntu.com/security/CVE-2024-46756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46738", "url": "https://ubuntu.com/security/CVE-2024-46738", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove().", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46722", "url": "https://ubuntu.com/security/CVE-2024-46722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-42284", "url": "https://ubuntu.com/security/CVE-2024-42284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44987", "url": "https://ubuntu.com/security/CVE-2024-44987", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" }, { "cve": "CVE-2024-42301", "url": "https://ubuntu.com/security/CVE-2024-42301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44998", "url": "https://ubuntu.com/security/CVE-2024-44998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference \"skb\" after calling vcc->push() because the skb is released.", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" } ], "log": [ "", " * noble/linux-riscv: 6.8.0-50.51.1 -proposed tracker (LP: #2086298)", "", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849)", " - Revert \"mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K\"", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2024.10.28)", "", " [ Ubuntu: 6.8.0-50.51 ]", "", " * noble/linux: 6.8.0-50.51 -proposed tracker (LP: #2086301)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.10.28)", " * Noble update: upstream stable patchset 2024-10-31 (LP: #2086138)", " - device property: Add cleanup.h based fwnode_handle_put() scope based", " cleanup.", " - device property: Introduce device_for_each_child_node_scoped()", " - iio: adc: ad7124: Switch from of specific to fwnode based property handling", " - ksmbd: override fsids for share path check", " - ksmbd: override fsids for smb2_query_info()", " - usbnet: ipheth: remove extraneous rx URB length check", " - usbnet: ipheth: drop RX URBs with no payload", " - usbnet: ipheth: do not stop RX on failing RX callback", " - usbnet: ipheth: fix carrier detection in modes 1 and 4", " - net: ethernet: use ip_hdrlen() instead of bit shift", " - drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero", " - drm: panel-orientation-quirks: Add quirk for Ayn Loki Max", " - net: phy: vitesse: repair vsc73xx autonegotiation", " - powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL", " - wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change", " - net: hns3: use correct release function during uninitialization", " - btrfs: update target inode's ctime on unlink", " - Input: ads7846 - ratelimit the spi_sync error message", " - Input: synaptics - enable SMBus for HP Elitebook 840 G2", " - HID: multitouch: Add support for GT7868Q", " - scripts: kconfig: merge_config: config files: add a trailing newline", " - platform/surface: aggregator_registry: Add Support for Surface Pro 10", " - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3", " - drm/msm/adreno: Fix error return if missing firmware-name", " - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table", " - smb/server: fix return value of smb2_open()", " - NFSv4: Fix clearing of layout segments in layoutreturn", " - NFS: Avoid unnecessary rescanning of the per-server delegation list", " - platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses", " - platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array", " - mptcp: pm: Fix uaf in __timer_delete_sync", " - arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on", " RK3399 Puma", " - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399", " Puma", " - minmax: reduce min/max macro expansion in atomisp driver", " - net: tighten bad gso csum offset check in virtio_net_hdr", " - dm-integrity: fix a race condition when accessing recalc_sector", " - x86/hyperv: fix kexec crash due to VP assist page corruption", " - mm: avoid leaving partial pfn mappings around in error case", " - arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E", " - drm/amd/display: Disable error correction if it's not supported", " - drm/amd/display: Fix FEC_READY write on DP LT", " - eeprom: digsy_mtc: Fix 93xx46 driver probe failure", " - cxl/core: Fix incorrect vendor debug UUID define", " - selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected()", " - hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >=", " 1.2", " - ice: Fix lldp packets dropping after changing the number of channels", " - ice: fix accounting for filters shared by multiple VSIs", " - ice: fix VSI lists confusion when adding VLANs", " - igb: Always call igb_xdp_ring_update_tail() under Tx lock", " - net/mlx5: Update the list of the PCI supported devices", " - net/mlx5e: Add missing link modes to ptys2ethtool_map", " - net/mlx5e: Add missing link mode to ptys2ext_ethtool_map", " - net/mlx5: Explicitly set scheduling element and TSAR type", " - net/mlx5: Add missing masks and QoS bit masks for scheduling elements", " - net/mlx5: Correct TASR typo into TSAR", " - net/mlx5: Verify support for scheduling element and TSAR type", " - net/mlx5: Fix bridge mode operations when there are no VFs", " - fou: fix initialization of grc", " - octeontx2-af: Modify SMQ flush sequence to drop packets", " - net: ftgmac100: Enable TX interrupt to avoid TX timeout", " - selftests: net: csum: Fix checksums for packets with non-zero padding", " - netfilter: nft_socket: fix sk refcount leaks", " - net: dsa: felix: ignore pending status of TAS module when it's disabled", " - net: dpaa: Pad packets to ETH_ZLEN", " - tracing/osnoise: Fix build when timerlat is not enabled", " - spi: nxp-fspi: fix the KASAN report out-of-bounds bug", " - drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl", " - dma-buf: heaps: Fix off-by-one in CMA heap fault handler", " - drm/nouveau/fb: restore init() for ramgp102", " - drm/amdgpu/atomfirmware: Silence UBSAN warning", " - drm/amd/amdgpu: apply command submission parser for JPEG v1", " - spi: geni-qcom: Undo runtime PM changes at driver exit time", " - spi: geni-qcom: Fix incorrect free_irq() sequence", " - drm/i915/guc: prevent a possible int overflow in wq offsets", " - ASoC: codecs: avoid possible garbage value in peb2466_reg_read()", " - cifs: Fix signature miscalculation", " - pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID", " - ASoC: meson: axg-card: fix 'use-after-free'", " - drm/mediatek: Set sensible cursor width/height values to fix crash", " - Input: edt-ft5x06 - add support for FocalTech FT5452 and FT8719", " - Input: edt-ft5x06 - add support for FocalTech FT8201", " - cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug", " - spi: zynqmp-gqspi: Scale timeout by data size", " - drm/xe: use devm instead of drmm for managed bo", " - net: libwx: fix number of Rx and Tx descriptors", " - clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor", " - bcachefs: Fix bch2_extents_match() false positive", " - bcachefs: Don't delete open files in online fsck", " - firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire()", " - riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting", " PLL0 rate to 1.5GHz", " - cxl: Restore XOR'd position bits during address translation", " - netlink: specs: mptcp: fix port endianness", " - drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct()", " - drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct()", " - drm/amd/amdgpu: apply command submission parser for JPEG v2+", " - drm/xe/client: fix deadlock in show_meminfo()", " - drm/xe/client: remove bogus rcu list usage", " - drm/xe/client: add missing bo locking in show_meminfo()", " - tracing/kprobes: Fix build error when find_module() is not available", " - drm/xe/display: fix compat IS_DISPLAY_STEP() range end", " - Upstream stable to v6.6.52, v6.10.11", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849)", " - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE", " - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ALSA: hda/realtek: add patch for internal mic in Lenovo V145", " - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx", " - ksmbd: Unlock on in ksmbd_tcp_set_interfaces()", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - x86/kaslr: Expose and use the end of the physical memory address space", " - nvme-pci: Add sleep quirk for Samsung 990 Evo", " - rust: types: Make Opaque::get const", " - rust: macros: provide correct provenance when constructing THIS_MODULE", " - Revert \"Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE\"", " - Bluetooth: MGMT: Ignore keys being loaded with invalid type", " - mmc: core: apply SD quirks earlier during probe", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - mmc: cqhci: Fix checking of CQHCI_HALT state", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - fuse: fix memory leak in fuse_create_open", " - clk: starfive: jh7110-sys: Add notifier for PLL0 clock", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - tracing/timerlat: Add interface_lock around clearing of kthread in", " stop_kthread()", " - net: mctp-serial: Fix missing escapes on transmit", " - x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported", " - x86/apic: Make x2apic_disable() work correctly", " - drm/i915: Do not attempt to load the GSC multiple times", " - ALSA: control: Apply sanity check of input values for user elements", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - wifi: ath12k: fix uninitialize symbol error on ath12k_peer_assoc_h_he()", " - smack: unix sockets: fix accept()ed socket label", " - bpf, verifier: Correct tail_call_reachable for bpf prog", " - accel/habanalabs/gaudi2: unsecure edma max outstanding register", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - x86/kmsan: Fix hook for unaligned accesses", " - iommu: sun50i: clear bypass register", " - netfilter: nf_conncount: fix wrong variable type", " - fs/ntfs3: One more reason to mark inode bad", " - riscv: kprobes: Use patch_text_nosync() for insn slots", " - media: vivid: fix wrong sizeimage value for mplane", " - leds: spi-byte: Call of_node_put() on error path", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - drm/amd/display: Check HDCP returned status", " - drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts", " - media: vivid: don't set HDMI TX controls if there are no HDMI outputs", " - vfio/spapr: Always clear TCEs before unsetting the window", " - ice: Check all ice_vsi_rebuild() errors in function", " - Input: ili210x - use kvmalloc() to allocate buffer for firmware update", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6", " - can: m_can: Release irq on error in m_can_open", " - can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD", " mode", " - rust: kbuild: fix export of bss symbols", " - cifs: Fix FALLOC_FL_ZERO_RANGE to preflush buffered part of target region", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - regulator: core: Stub devm_regulator_bulk_get_const() if !CONFIG_REGULATOR", " - can: kvaser_pciefd: Skip redundant NULL pointer check in ISR", " - can: kvaser_pciefd: Remove unnecessary comment", " - can: kvaser_pciefd: Rename board_irq to pci_irq", " - can: kvaser_pciefd: Move reset of DMA RX buffers to the end of the ISR", " - can: kvaser_pciefd: Use a single write when releasing RX buffers", " - Bluetooth: qca: If memdump doesn't work, re-enable IBS", " - Bluetooth: hci_sync: Introduce hci_cmd_sync_run/hci_cmd_sync_run_once", " - Bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT", " - igc: Unlock on error in igc_io_resume()", " - ice: do not bring the VSI up, if it was down before the XDP setup", " - usbnet: modern method to get random MAC", " - bpf, net: Fix a potential race in do_sock_getsockopt()", " - bareudp: Fix device stats updates.", " - r8152: fix the firmware doesn't work", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - selftests: net: enable bind tests", " - firmware: cs_dsp: Don't allow writes to read-only controls", " - phy: zynqmp: Take the phy mutex in xlate", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - devres: Initialize an uninitialized struct member", " - virtio_ring: fix KMSAN error for premapped mode", " - crypto: qat - fix unintentional re-enabling of error interrupts", " - ASoc: TAS2781: replace beXX_to_cpup with get_unaligned_beXX for potentially", " broken alignment", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - drm/amdgpu: Set no_hw_access when VF request full GPU fails", " - ext4: fix possible tid_t sequence overflows", " - jbd2: avoid mount failed when commit block is partial submitted", " - dma-mapping: benchmark: Don't starve others when doing the test", " - drm/amdgpu: reject gang submit on reserved VMIDs", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - fs/ntfs3: Check more cases when directory is corrupted", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - cxl/region: Verify target positions using the ordered target list", " - riscv: set trap vector earlier", " - tcp: Don't drop SYN+ACK for simultaneous connect().", " - net: dpaa: avoid on-stack arrays of NR_CPUS elements", " - LoongArch: Use correct API to map cmdline in relocate_kernel()", " - regmap: maple: work around gcc-14.1 false-positive warning", " - vfs: Fix potential circular locking through setxattr() and removexattr()", " - i3c: master: svc: resend target address when get NACK", " - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section", " - usbnet: ipheth: race between ipheth_close and error handling", " - spi: spi-fsl-lpspi: limit PRESCALE bit in TCR register", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - ACPI: CPPC: Add helper to get the highest performance value", " - cpufreq: amd-pstate: Enable amd-pstate preferred core support", " - cpufreq: amd-pstate: fix the highest frequency issue which limits", " performance", " - tcp: process the 3rd ACK with sk_socket for TFO/MPTCP", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - iio: adc: ad7124: fix config comparison", " - iio: adc: ad7606: remove frstdata check for serial mode", " - iio: adc: ad7124: fix chip ID mismatch", " - usb: dwc3: core: update LC timer as per USB Spec V3.2", " - usb: cdns2: Fix controller reset issue", " - usb: dwc3: Avoid waking up gadget during startxfer", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - Revert \"mm: skip CMA pages when they are not available\"", " - workqueue: wq_watchdog_touch is always called with valid CPU", " - workqueue: Improve scalability of workqueue watchdog touch", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - can: mcp251xfd: mcp251xfd_handle_rxif_ring_uinc(): factor out in separate", " function", " - can: mcp251xfd: rx: prepare to workaround broken RX FIFO head index erratum", " - can: mcp251xfd: clarify the meaning of timestamp", " - can: mcp251xfd: rx: add workaround for erratum DS80000789E 6 of mcp2518fd", " - drm/amd: Add gfx12 swizzle mode defs", " - drm/amdgpu: handle gfx12 in amdgpu_display_verify_sizes", " - ata: libata-scsi: Remove redundant sense_buffer memsets", " - ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf", " - crypto: starfive - Align rsa input data to 32-bit", " - crypto: starfive - Fix nent assignment in rsa dec", " - clk: qcom: ipq9574: Update the alpha PLL type for GPLLs", " - powerpc/64e: remove unused IBM HTW code", " - powerpc/64e: split out nohash Book3E 64-bit code", " - powerpc/64e: Define mmu_pte_psize static", " - powerpc/vdso: Don't discard rela sections", " - ASoC: tegra: Fix CBB error during probe()", " - nvme-pci: allocate tagset on reset if necessary", " - ASoc: SOF: topology: Clear SOF link platform name upon unload", " - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode", " - clk: qcom: gcc-sm8550: Don't use parking clk_ops for QUPs", " - clk: qcom: gcc-sm8550: Don't park the USB RCG at registration time", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - gpio: rockchip: fix OF node leak in probe()", " - gpio: modepin: Enable module autoloading", " - riscv: Fix toolchain vector detection", " - riscv: Do not restrict memory size because of linear mapping on nommu", " - membarrier: riscv: Add full memory barrier in switch_mm()", " - [Config] updateconfigs for ARCH_HAS_MEMBARRIER_CALLBACKS", " - x86/mm: Fix PTI for i386 some more", " - btrfs: fix race between direct IO write and fsync when using same fd", " - spi: spi-fsl-lpspi: Fix off-by-one in prescale max", " - ALSA: hda/realtek: Enable Mute Led for HP Victus 15-fb1xxx", " - ALSA: hda/realtek - Fix inactive headset mic jack for ASUS Vivobook 15", " X1504VAP", " - fuse: clear PG_uptodate when using a stolen page", " - riscv: misaligned: remove CONFIG_RISCV_M_MODE specific code", " - parisc: Delay write-protection until mark_rodata_ro() call", " - pinctrl: qcom: x1e80100: Bypass PDC wakeup parent for now", " - maple_tree: remove rcu_read_lock() from mt_validate()", " - Revert \"wifi: ath11k: restore country code during resume\"", " - btrfs: qgroup: don't use extent changeset when not needed", " - btrfs: zoned: handle broken write pointer on zones", " - drm/xe/gsc: Do not attempt to load the GSC multiple times", " - drm/amdgpu: always allocate cleared VRAM for GEM allocations", " - drm/amd/display: Lock DC and exit IPS when changing backlight", " - ALSA: hda/realtek: extend quirks for Clevo V5[46]0", " - cgroup/cpuset: Delay setting of CS_CPU_EXCLUSIVE until valid partition", " - virt: sev-guest: Mark driver struct with __refdata to prevent section", " mismatch", " - media: b2c2: flexcop-usb: fix flexcop_usb_memory_req", " - gve: Add adminq mutex lock", " - wifi: rtw89: wow: prevent to send unexpected H2C during download Firmware", " - drm/amdgpu: add missing error handling in function", " amdgpu_gmc_flush_gpu_tlb_pasid", " - crypto: qat - initialize user_input.lock for rate_limiting", " - locking: Add rwsem_assert_held() and rwsem_assert_held_write()", " - fs: don't copy to userspace under namespace semaphore", " - fs: relax permissions for statmount()", " - seccomp: release task filters when the task exits", " - drm/amdgpu/display: handle gfx12 in amdgpu_dm_plane_format_mod_supported", " - can: m_can: Remove m_can_rx_peripheral indirection", " - can: m_can: Do not cancel timer from within timer", " - mm: Provide a means of invalidation without using launder_folio", " - cifs: Fix copy offload to flush destination region", " - hwmon: ltc2991: fix register bits defines", " - scripts: fix gfp-translate after ___GFP_*_BITS conversion to an enum", " - ptp: ocp: convert serial ports to array", " - ptp: ocp: adjust sysfs entries to expose tty information", " - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset", " - ice: remove ICE_CFG_BUSY locking from AF_XDP code", " - net: xilinx: axienet: Fix race in axienet_stop", " - iommu/vt-d: Remove control over Execute-Requested requests", " - block: don't call bio_uninit from bio_endio", " - tracing/kprobes: Add symbol counting check when module loads", " - perf/x86/intel: Hide Topdown metrics events if the feature is not enumerated", " - PCI: qcom: Override NO_SNOOP attribute for SA8775P RC", " - staging: vchiq_core: Bubble up wait_event_interruptible() return value", " - watchdog: imx7ulp_wdt: keep already running watchdog enabled", " - btrfs: slightly loosen the requirement for qgroup removal", " - drm/amdgpu: add PSP RAS address query command", " - drm/amdgpu: add mutex to protect ras shared memory", " - s390/boot: Do not assume the decompressor range is reserved", " - drm/amdgpu: Fix two reset triggered in a row", " - drm/amdgpu: Add reset_context flag for host FLR", " - drm/amdgpu: Fix amdgpu_device_reset_sriov retry logic", " - fs: only copy to userspace on success in listmount()", " - iio: adc: ad7124: fix DT configuration parsing", " - nvmem: u-boot-env: error if NVMEM device is too small", " - mm: zswap: rename is_zswap_enabled() to zswap_is_enabled()", " - mm/memcontrol: respect zswap.writeback setting from parent cg too", " - path: add cleanup helper", " - fs: simplify error handling", " - fs: relax permissions for listmount()", " - hid: bpf: add BPF_JIT dependency", " - net/mlx5e: SHAMPO, Use KSMs instead of KLMs", " - net/mlx5e: SHAMPO, Fix page leak", " - drm/xe/xe2: Add workaround 14021402888", " - drm/xe/xe2lpg: Extend workaround 14021402888", " - clk: qcom: gcc-x1e80100: Fix USB 0 and 1 PHY GDSC pwrsts flags", " - clk: qcom: gcc-x1e80100: Don't use parking clk_ops for QUPs", " - nouveau: fix the fwsec sb verification register.", " - riscv: Add tracepoints for SBI calls and returns", " - riscv: Improve sbi_ecall() code generation by reordering arguments", " - riscv: Fix RISCV_ALTERNATIVE_EARLY", " - cifs: Fix zero_point init on inode initialisation", " - nvme: rename nvme_sc_to_pr_err to nvme_status_to_pr_err", " - nvme: fix status magic numbers", " - nvme: rename CDR/MORE/DNR to NVME_STATUS_*", " - nvmet: Identify-Active Namespace ID List command should reject invalid nsid", " - drm/i915/display: Add mechanism to use sink model when applying quirk", " - drm/i915/display: Increase Fast Wake Sync length as a quirk", " - LoongArch: Use accessors to page table entries instead of direct dereference", " - Upstream stable to v6.6.51, v6.10.10", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46823", " - kunit/overflow: Fix UB in overflow_allocation_test", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46834", " - ethtool: fail closed if we can't get max channel used in indirection tables", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46751", " - btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46753", " - btrfs: handle errors from btrfs_dec_ref() properly", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46841", " - btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in", " walk_down_proc()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46754", " - bpf: Remove tst_run from lwt_seg6local_prog_ops.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46824", " - iommufd: Require drivers to supply the cache_invalidate_user ops", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46842", " - scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46766", " - ice: move netif_queue_set_napi to rtnl-protected sections", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46772", " - drm/amd/display: Check denominator crb_pipes before used", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46774", " - powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46775", " - drm/amd/display: Validate function returns", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46778", " - drm/amd/display: Check UnboundedRequestEnabled's value", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46779", " - drm/imagination: Free pvr_vm_gpuva after unlink", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46792", " - riscv: misaligned: Restrict user access to kernel memory", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46793", " - ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46735", " - ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46737", " - nvmet-tcp: fix kernel crash if commands allocation fails", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46822", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46713", " - perf/aux: Fix AUX buffer serialization", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46739", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46740", " - binder: fix UAF caused by offsets overwrite", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46741", " - misc: fastrpc: Fix double free of 'buf' in error path", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47663", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46832", " - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47668", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46744", " - Squashfs: sanity check symbolic link size", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46745", " - Input: uinput - reject requests with unreasonable number of slots", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46746", " - HID: amd_sfh: free driver_data after destroying hid device", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47664", " - spi: hisi-kunpeng: Add verification for the max_frequency provided by the", " firmware", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47665", " - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46749", " - Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46750", " - PCI: Add missing bridge lock to pci_bus_lock()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46752", " - btrfs: replace BUG_ON() with error handling at update_ref_for_cow()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46840", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46755", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47666", " - scsi: pm80xx: Set phy->enable_completion only when we wait for it", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46843", " - scsi: ufs: core: Remove SCSI host only if added", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46760", " - wifi: rtw88: usb: schedule rx work after everything is set up", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46761", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46844", " - um: line: always fill *error_out in setup_one_line()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46762", " - xen: privcmd: Fix possible access to a freed kirqfd instance", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46763", " - fou: Fix null-ptr-deref in GRO.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46765", " - ice: protect XDP configuration with a mutex", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46767", " - net: phy: Fix missing of_node_put() for leds", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46768", " - hwmon: (hp-wmi-sensors) Check if WMI event data exists", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46770", " - ice: Add netif_device_attach/detach into PF reset flow", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46771", " - can: bcm: Remove proc entry when dev is unregistered.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46773", " - drm/amd/display: Check denominator pbn_div before used", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47667", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46835", " - drm/amdgpu: Fix smatch static checker warning", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46776", " - drm/amd/display: Run DC_LOG_DC after checking link->link_enc", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46836", " - usb: gadget: aspeed_udc: validate endpoint index for ast udc", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46777", " - udf: Avoid excessive partition lengths", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46825", " - wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46826", " - ELF: fix kernel.randomize_va_space double read", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46827", " - wifi: ath12k: fix firmware crash due to invalid peer nss", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47669", " - nilfs2: fix state management in error path of log writing function", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46780", " - nilfs2: protect references to superblock parameters exposed in sysfs", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46781", " - nilfs2: fix missing cleanup on rollforward recovery error", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46828", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46782", " - ila: call nf_unregister_net_hooks() sooner", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46783", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46784", " - net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46785", " - eventfs: Use list_del_rcu() for SRCU protected list variable", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46786", " - fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46787", " - userfaultfd: fix checks for huge PMDs", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46838", " - userfaultfd: don't BUG_ON() if khugepaged yanks our page table", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46845", " - tracing/timerlat: Only clear timer if a kthread exists", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46788", " - tracing/osnoise: Use a cpumask to know what threads are kthreads", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46846", " - spi: rockchip: Resolve unbalanced runtime PM / system PM handling", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46847", " - mm: vmalloc: ensure vmap_block is initialised before adding to queue", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46791", " - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46829", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46848", " - perf/x86/intel: Limit the period on Haswell", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46794", " - x86/tdx: Fix data leak in mmio_read()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46795", " - ksmbd: unset the binding mark of a reused connection", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46797", " - powerpc/qspinlock: Fix deadlock in MCS queue", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46830", " - KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46798", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46831", " - net: microchip: vcap: Fix use-after-free error in kunit test", " * Navi24 RX6300 light up issue on 6.8 kernel (LP: #2084513)", " - drm/amd/display: Ensure populate uclk in bb construction", " * Noble update: upstream stable patchset 2024-10-18 (LP: #2084941)", " - drm/fb-helper: Don't schedule_work() to flush frame buffer during panic()", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - scsi: ufs: core: Check LSDBS cap when !mcq", " - scsi: ufs: core: Bypass quick recovery if force reset is needed", " - btrfs: tree-checker: validate dref root and objectid", " - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown", " - ALSA: hda/conexant: Mute speakers at suspend / shutdown", " - ALSA: ump: Transmit RPN/NRPN message at each MSB/LSB data reception", " - ALSA: ump: Explicitly reset RPN with Null RPN", " - ALSA: seq: ump: Use the common RPN/bank conversion context", " - ALSA: seq: ump: Transmit RPN/NRPN message at each MSB/LSB data reception", " - ALSA: seq: ump: Explicitly reset RPN with Null RPN", " - net/mlx5: DR, Fix 'stack guard page was hit' error in dr_rule", " - ASoC: amd: yc: Support mic on HP 14-em0002la", " - spi: hisi-kunpeng: Add validation for the minimum value of speed_hz", " - i2c: Fix conditional for substituting empty ACPI functions", " - dma-debug: avoid deadlock between dma debug vs printk and netconsole", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - ASoC: amd: yc: Support mic on Lenovo Thinkpad E14 Gen 6", " - ASoC: codecs: ES8326: button detect issue", " - selftests: mptcp: userspace pm create id 0 subflow", " - selftests: mptcp: dump userspace addrs list", " - selftests: mptcp: userspace pm get addr tests", " - selftests: mptcp: declare event macros in mptcp_lib", " - selftests: mptcp: join: cannot rm sf if closed", " - selftests: mptcp: add explicit test case for remove/readd", " - selftests: mptcp: join: check re-using ID of unused ADD_ADDR", " - selftests: mptcp: join: check re-adding init endp with != id", " - selftests: mptcp: add mptcp_lib_events helper", " - selftests: mptcp: join: validate event numbers", " - selftests: mptcp: join: check re-re-adding ID 0 signal", " - selftests: mptcp: join: test for flush/re-add endpoints", " - selftests: mptcp: join: disable get and dump addr checks", " - selftests: mptcp: join: stop transfer when check is done (part 2.2)", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amd/display: Assign linear_pitch_alignment even for VM", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc", " - drm/amd/pm: fix uninitialized variable warning", " - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr", " - drm/amd/pm: fix warning using uninitialized value of max_vid_step", " - drm/amd/pm: Fix negative array index read", " - drm/amd/pm: fix the Out-of-bounds read warning", " - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr", " - drm/amdgpu: avoid reading vf2pf info size from FB", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check index for aux_rd_interval before using", " - drm/amd/display: Add array index check for hdcp ddc access", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Check msg_id before processing transcation", " - drm/amd/display: Fix Coverity INTERGER_OVERFLOW within", " construct_integrated_info", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amd/display: Spinlock before reading event", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " decide_fallback_link_setting_max_bw_policy", " - drm/amd/display: Ensure index calculation will not overflow", " - drm/amd/display: Skip inactive planes within", " ModeSupportAndSystemConfiguration", " - drm/amd/display: Fix index may exceed array range within", " fpu_update_bw_bounding_box", " - drm/amd/amdgpu: Check tbo resource pointer", " - drm/amd/pm: fix uninitialized variable warnings for vangogh_ppt", " - drm/amdgpu/pm: Fix uninitialized variable warning for smu10", " - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response", " - drm/amdgpu: Fix the uninitialized variable warning", " - drm/amdkfd: Check debug trap enable before write dbg_ev_file", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - wifi: ath12k: initialize 'ret' in ath12k_qmi_load_file_target_mem()", " - wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem()", " - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy", " SOCs", " - drm/amdgpu: Fix the warning division or modulo by zero", " - drm/amdgpu: fix dereference after null check", " - drm/amdgpu: fix the waring dereferencing hive", " - drm/amd/pm: check specific index for aldebaran", " - drm/amd/pm: check specific index for smu13", " - drm/amdgpu: the warning dereferencing obj for nbio_v7_4", " - drm/amd/pm: check negtive return for table entries", " - wifi: rtw89: ser: avoid multiple deinit on same CAM", " - drm/kfd: Correct pinned buffer handling at kfd restore and validate process", " - drm/amdgpu: update type of buf size to u32 for eeprom functions", " - wifi: iwlwifi: remove fw_running op", " - cpufreq: scmi: Avoid overflow of target_freq in fast switch", " - PCI: al: Check IORESOURCE_BUS existence during probe", " - wifi: mac80211: check ieee80211_bss_info_change_notify() against MLD", " - hwspinlock: Introduce hwspin_lock_bust()", " - soc: qcom: smem: Add qcom_smem_bust_hwspin_lock_by_host()", " - RDMA/efa: Properly handle unexpected AQ completions", " - ionic: fix potential irq name truncation", " - pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode.", " - rcu/nocb: Remove buggy bypass lock contention mitigation", " - media: v4l2-cci: Always assign *val", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - fsnotify: clear PARENT_WATCHED flags lazily", " - net: remove NULL-pointer net parameter in ip_metrics_convert", " - drm/amdgu: fix Unintentional integer overflow for mall size", " - regmap: spi: Fix potential off-by-one when calculating reserved size", " - smack: tcp: ipv4, fix incorrect labeling", " - platform/chrome: cros_ec_lpc: MEC access can use an AML mutex", " - net/mlx5e: SHAMPO, Fix incorrect page release", " - drm/meson: plane: Add error handling", " - crypto: stm32/cryp - call finalize with bh disabled", " - gfs2: Revert \"Add quota_change type\"", " - drm/bridge: tc358767: Check if fully initialized before signalling HPD event", " via IRQ", " - dmaengine: altera-msgdma: use irq variant of spin_lock/unlock while invoking", " callbacks", " - dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor", " - hwmon: (k10temp) Check return value of amd_smn_read()", " - wifi: cfg80211: make hash table duplicates more survivable", " - f2fs: fix to do sanity check on blocks for inline_data inode", " - driver: iio: add missing checks on iio_info's callback access", " - block: remove the blk_flush_integrity call in blk_integrity_unregister", " - drm/amdgpu: add skip_hw_access checks for sriov", " - drm/amdgpu: add lock in amdgpu_gart_invalidate_tlb", " - drm/amdgpu: add lock in kfd_process_dequeue_from_device", " - drm/amd/display: Don't use fsleep for PSR exit waits on dmub replay", " - drm/amd/display: added NULL check at start of dc_validate_stream", " - drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX", " - drm/amd/display: use preferred link settings for dp signal only", " - drm/amd/display: Check BIOS images before it is used", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - virtio_net: Fix napi_skb_cache_put warning", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - btrfs: factor out stripe length calculation into a helper", " - btrfs: scrub: update last_physical after scrubbing one stripe", " - btrfs: fix qgroup reserve leaks in cow_file_range", " - virtio-net: check feature before configuring the vq coalescing command", " - drm/amd/display: Handle the case which quad_part is equal 0", " - drm/amdgpu: Handle sg size limit for contiguous allocation", " - drm/amd/pm: fix uninitialized variable warning for smu_v13", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amd/display: Ensure array index tg_inst won't be -1", " - drm/amd/display: handle invalid connector indices", " - drm/amd/display: Increase MAX_LINKS by 2", " - drm/amd/display: Stop amdgpu_dm initialize when link nums greater than", " max_links", " - drm/amd/display: Fix incorrect size calculation for loop", " - drm/amd/display: Use kcalloc() instead of kzalloc()", " - drm/amd/display: Add missing NULL pointer check within", " dpcd_extend_address_range", " - drm/amd/display: Release state memory if amdgpu_dm_create_color_properties", " fail", " - drm/amd/display: Check link_index before accessing dc->links[]", " - drm/amd/display: Add otg_master NULL check within", " resource_log_pipe_topology_update", " - drm/amd/display: Release clck_src memory if clk_src_construct fails", " - drm/amd/display: Fix writeback job lock evasion within dm_crtc_high_irq", " - drm/xe: Demote CCS_MODE info to debug only", " - drm/drm-bridge: Drop conditionals around of_node pointers", " - drm/amdgpu: fix uninitialized variable warning for amdgpu_xgmi", " - drm/amdgpu: fix uninitialized variable warning for jpeg_v4", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_info_ioctl", " - wifi: ath12k: initialize 'ret' in ath12k_dp_rxdma_ring_sel_config_wcn7850()", " - drm/amdgpu/pm: Check input value for power profile setting on smu11, smu13", " and smu14", " - drm/xe: Fix the warning conditions", " - drm/amd/display: Fix pipe addition logic in calc_blocks_to_ungate DCN35", " - wifi: cfg80211: restrict operation during radar detection", " - remoteproc: qcom_q6v5_pas: Add hwspinlock bust on stop", " - tcp: annotate data-races around tw->tw_ts_recent and tw->tw_ts_recent_stamp", " - drm/xe: Don't overmap identity VRAM mapping", " - net: tcp/dccp: prepare for tw_timer un-pinning", " - drm/xe: Ensure caller uses sole domain for xe_force_wake_assert_held", " - drm/xe: Check valid domain is passed in xe_force_wake_ref", " - thermal: trip: Use READ_ONCE() for lockless access to trip properties", " - drm/xe: Add GuC state asserts to deregister_exec_queue", " - drm/amdgpu: fix overflowed constant warning in mmhub_set_clockgating()", " - drm/amd/display: Remove register from DCN35 DMCUB diagnostic collection", " - drm/amd/display: Disable DMCUB timeout for DCN35", " - drm/amd/display: Avoid overflow from uint32_t to uint8_t", " - pinctrl: core: reset gpio_device in loop in pinctrl_pins_show()", " - Upstream stable to v6.6.50, v6.10.9", " * CVE-2024-46747", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " * CVE-2024-46725", " - drm/amdgpu: Fix out-of-bounds write warning", " * CVE-2024-46724", " - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number", " * [SRU] Fix AST DP output after resume (LP: #2083022)", " - drm/ast: Inline drm_simple_encoder_init()", " - drm/ast: Implement atomic enable/disable for encoders", " - drm/ast: Program mode for AST DP in atomic_mode_set", " - drm/ast: Move mode-setting code into mode_set_nofb CRTC helper", " - drm/ast: Handle primary-plane format setup in atomic_update", " - drm/ast: Remove gamma LUT updates from DPMS code", " - drm/ast: Only set VGA SCREEN_DISABLE bit in CRTC code", " - drm/ast: Inline ast_crtc_dpms() into callers", " - drm/ast: Use drm_atomic_helper_commit_tail() helper", " * UBSAN array-index-out-of-bounds reported with N-6.8 on P9 node baltar", " (LP: #2078038)", " - scripts/kernel-doc: reindent", " - compiler_types: add Endianness-dependent __counted_by_{le, be}", " - scsi: aacraid: union aac_init: Replace 1-element array with flexible array", " - scsi: aacraid: struct aac_ciss_phys_luns_resp: Replace 1-element array with", " flexible array", " - scsi: aacraid: Rearrange order of struct aac_srb_unit", " - scsi: aacraid: struct {user, }sgmap{, 64, raw}: Replace 1-element arrays", " with flexible arrays", " * r8169: transmit queue 0 timed out error when re-plugging the Ethernet cable", " (LP: #2084526)", " - r8169: disable ALDPS per default for RTL8125", " * [SRU] cpufreq: intel_pstate: Support Emerald Rapids OOB mode (LP: #2084834)", " - cpufreq: intel_pstate: Support Emerald Rapids OOB mode", " * CVE-2024-46723", " - drm/amdgpu: fix ucode out-of-bounds read warning", " * CVE-2024-46743", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " * CVE-2024-46757", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " * [SRU] Ubuntu 24.04 - GPU cannot be installed with DL380a Gen12 (2P, SRF-SP)", " (LP: #2081079)", " - perf/x86/uncore: Save the unit control address of all units", " - perf/x86/uncore: Support per PMU cpumask", " - perf/x86/uncore: Retrieve the unit ID from the unit control RB tree", " - perf/x86/uncore: Apply the unit control RB tree to MMIO uncore units", " - perf/x86/uncore: Apply the unit control RB tree to MSR uncore units", " - perf/x86/uncore: Apply the unit control RB tree to PCI uncore units", " - perf/x86/uncore: Cleanup unused unit structure", " - perf/x86/intel/uncore: Support HBM and CXL PMON counters", " * Noble update: upstream stable patchset 2024-10-11 (LP: #2084225)", " - ALSA: seq: Skip event type filtering for UMP events", " - LoongArch: Remove the unused dma-direct.h", " - btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()", " - btrfs: run delayed iputs when flushing delalloc", " - smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()", " - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: wfx: repair open network AP mode", " - wifi: mwifiex: duplicate static structs used in driver instances", " - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response", " - mptcp: close subflow when receiving TCP+FIN", " - mptcp: sched: check both backup in retrans", " - mptcp: pm: reuse ID 0 after delete and re-add", " - mptcp: pm: skip connecting to already established sf", " - mptcp: pm: reset MPC endp ID when re-added", " - mptcp: pm: send ACK on an active subflow", " - mptcp: pm: do not remove already closed subflows", " - mptcp: pm: fix ID 0 endp usage after multiple re-creations", " - mptcp: pm: ADD_ADDR 0 is not a new address", " - selftests: mptcp: join: check removing ID 0 endpoint", " - selftests: mptcp: join: no extra msg if no counter", " - selftests: mptcp: join: check re-re-adding ID 0 endp", " - drm/amdgpu/swsmu: always force a state reprogram on init", " - drm/vmwgfx: Fix prime with external buffers", " - usb: typec: fix up incorrectly backported \"usb: typec: tcpm: unregister", " existing source caps before re-registration\"", " - ASoC: amd: acp: fix module autoloading", " - ASoC: SOF: amd: Fix for acp init sequence", " - pinctrl: mediatek: common-v2: Fix broken bias-disable for", " PULL_PU_PD_RSEL_TYPE", " - pinctrl: starfive: jh7110: Correct the level trigger configuration of iev", " register", " - ovl: pass string to ovl_parse_layer()", " - ovl: fix wrong lowerdir number check for parameter Opt_lowerdir", " - ovl: ovl_parse_param_lowerdir: Add missed '\\n' for pr_err", " - mm: Fix missing folio invalidation calls during truncation", " - cifs: Fix FALLOC_FL_PUNCH_HOLE support", " - selinux,smack: don't bypass permissions check in inode_setsecctx hook", " - iommufd: Do not allow creating areas without READ or WRITE", " - phy: fsl-imx8mq-usb: fix tuning parameter name", " - dmaengine: dw-edma: Fix unmasking STOP and ABORT interrupts for HDMA", " - dmaengine: dw-edma: Do not enable watermark interrupts for HDMA", " - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume", " - dmaengine: dw: Add peripheral bus width verification", " - dmaengine: dw: Add memory bus width verification", " - Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test", " - Bluetooth: btnxpuart: Handle FW Download Abort scenario", " - Bluetooth: btnxpuart: Fix random crash seen while removing driver", " - Bluetooth: hci_core: Fix not handling hibernation actions", " - iommu: Do not return 0 from map_pages if it doesn't do anything", " - netfilter: nf_tables: restore IP sanity checks for netdev/egress", " - wifi: iwlwifi: fw: fix wgds rev 3 exact size", " - ethtool: check device is present when getting link settings", " - netfilter: nf_tables_ipv6: consider network offset in netdev/egress", " validation", " - selftests: forwarding: no_forwarding: Down ports on cleanup", " - selftests: forwarding: local_termination: Down ports on cleanup", " - bonding: implement xdo_dev_state_free and call it after deletion", " - bonding: extract the use of real_device into local variable", " - bonding: change ipsec_lock from spin lock to mutex", " - gtp: fix a potential NULL pointer dereference", " - sctp: fix association labeling in the duplicate COOKIE-ECHO case", " - drm/amd/display: avoid using null object of framebuffer", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - soc: qcom: pmic_glink: Actually communicate when remote goes down", " - soc: qcom: pmic_glink: Fix race during initialization", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - scsi: sd: Ignore command SYNCHRONIZE CACHE error if format in progress", " - USB: serial: option: add MeiG Smart SRM825L", " - ARM: dts: imx6dl-yapp43: Increase LED current to match the yapp4 HW design", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function", " - usb: cdnsp: fix for Link TRB with TC", " - ARM: dts: omap3-n900: correct the accelerometer orientation", " - arm64: dts: imx8mp-beacon-kit: Fix Stereo Audio on WM8962", " - arm64: dts: imx93: add nvmem property for fec1", " - arm64: dts: imx93: add nvmem property for eqos", " - arm64: dts: imx93: update default value for snps,clk-csr", " - arm64: dts: freescale: imx93-tqma9352: fix CMA alloc-ranges", " - arm64: dts: freescale: imx93-tqma9352-mba93xxla: fix typo", " - scsi: aacraid: Fix double-free on probe failure", " - apparmor: fix policy_unpack_test on big endian systems", " - mptcp: pr_debug: add missing \\n at the end", " - mptcp: make pm_remove_addrs_and_subflows static", " - mptcp: pm: fix RM_ADDR ID for the initial subflow", " - mptcp: avoid duplicated SUB_CLOSED events", " - drm/i915/dsi: Make Lenovo Yoga Tab 3 X90F DMI match less strict", " - drm/vmwgfx: Prevent unmapping active read buffers", " - drm/vmwgfx: Disable coherent dumb buffers without 3d", " - firmware/sysfb: Set firmware-framebuffer parent device", " - firmware/sysfb: Create firmware device only for enabled PCI devices", " - video/aperture: optionally match the device in sysfb_disable()", " - drm/xe: Prepare display for D3Cold", " - drm/xe/display: Make display suspend/resume work on discrete", " - drm/xe/vm: Simplify if condition", " - drm/xe/exec_queue: Rename xe_exec_queue::compute to xe_exec_queue::lr", " - drm/xe: prevent UAF around preempt fence", " - pinctrl: qcom: x1e80100: Update PDC hwirq map", " - ASoC: SOF: amd: move iram-dram fence register programming sequence", " - nfsd: ensure that nfsd4_fattr_args.context is zeroed out", " - backing-file: convert to using fops->splice_write", " - pinctrl: qcom: x1e80100: Fix special pin offsets", " - afs: Fix post-setattr file edit to do truncation correctly", " - netfs: Fix netfs_release_folio() to say no if folio dirty", " - netfs: Fix missing iterator reset on retry of short read", " - dmaengine: ti: omap-dma: Initialize sglen after allocation", " - pktgen: use cpus_read_lock() in pg_net_init()", " - net_sched: sch_fq: fix incorrect behavior for small weights", " - tcp: fix forever orphan socket caused by tcp_abort", " - drm/xe/hwmon: Fix WRITE_I1 param from u32 to u16", " - usb: typec: fsa4480: Relax CHIP_ID check", " - firmware: qcom: scm: Mark get_wq_ctx() as atomic call", " - usb: gadget: uvc: queue pump work in uvcg_video_enable()", " - usb: dwc3: xilinx: add missing depopulate in probe error path", " - usb: typec: ucsi: Move unregister out of atomic section", " - firmware: microchip: fix incorrect error report of programming:timeout on", " success", " - Upstream stable to v6.6.49, v6.10.8", " * Fix blank screen on external display after reconnecting the USB type-C", " (LP: #2081786) // Noble update: upstream stable patchset 2024-10-11", " (LP: #2084225)", " - drm/i915/display: add intel_display -> drm_device backpointer", " - drm/i915/display: add generic to_intel_display() macro", " - drm/i915/dp_mst: Fix MST state after a sink reset", " * Noble update: upstream stable patchset 2024-10-09 (LP: #2084005)", " - tty: serial: fsl_lpuart: mark last busy before uart_add_one_port", " - tty: atmel_serial: use the correct RTS flag.", " - Revert \"ACPI: EC: Evaluate orphan _REG under EC device\"", " - Revert \"misc: fastrpc: Restrict untrusted app to attach to privileged PD\"", " - Revert \"usb: typec: tcpm: clear pd_event queue in PORT_RESET\"", " - selinux: revert our use of vma_is_initial_heap()", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - char: xillybus: Don't destroy workqueue from work item running on it", " - char: xillybus: Refine workqueue handling", " - char: xillybus: Check USB endpoints when probing device", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - thunderbolt: Mark XDomain as unplugged when router is removed", " - ALSA: hda/tas2781: fix wrong calibrated data order", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - KVM: s390: fix validity interception issue when gisa is switched off", " - riscv: change XIP's kernel_map.size to be size of the entire kernel", " - i2c: tegra: Do not mark ACPI devices as irq safe", " - ACPICA: Add a depth argument to acpi_execute_reg_methods()", " - ACPI: EC: Evaluate _REG outside the EC scope more carefully", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume", " - rtla/osnoise: Prevent NULL dereference in error handling", " - net: mana: Fix RX buf alloc_size alignment and atomic op panic", " - net: mana: Fix doorbell out of order violation and avoid unnecessary", " doorbell rings", " - wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - selinux: add the processing of the failure of avc_add_xperms_decision()", " - mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu", " - btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type", " - btrfs: zoned: properly take lock to read/update block group's zoned", " variables", " - btrfs: tree-checker: add dev extent item checks", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - drm/amdgpu/jpeg2: properly set atomics vmid field", " - drm/amdgpu/jpeg4: properly set atomics vmid field", " - s390/uv: Panic for set and remove shared access UVC errors", " - bpf: Fix updating attached freplace prog in prog_array map", " - igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer", " - igc: Fix qbv_config_change_errors logics", " - igc: Fix reset adapter logics when tx mode change", " - net/mlx5e: Take state lock during tx timeout reporter", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: dsa: vsc73xx: use read_poll_timeout instead delay loop", " - net: dsa: vsc73xx: check busy flag in MDIO operations", " - net: ethernet: mtk_wed: fix use-after-free panic in", " mtk_wed_setup_tc_block_cb()", " - mlxbf_gige: disable RX filters until RX path initialized", " - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size", " - tcp: Update window clamping condition", " - netfilter: allow ipv6 fragments to arrive on different devices", " - netfilter: flowtable: initialise extack before use", " - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks", " - netfilter: nf_tables: Audit log dump reset after the fact", " - netfilter: nf_tables: Introduce nf_tables_getobj_single", " - netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests", " - vsock: fix recursive ->recvmsg calls", " - selftests: net: lib: ignore possible errors", " - selftests: net: lib: kill PIDs before del netns", " - net: hns3: fix wrong use of semaphore up", " - net: hns3: use the user's cfg after reset", " - net: hns3: fix a deadlock problem when config TC during resetting", " - gpio: mlxbf3: Support shutdown() function", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - rust: work around `bindgen` 0.69.0 issue", " - rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT", " - rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT", " - cpu/SMT: Enable SMT only if a core is online", " - powerpc/topology: Check if a core is online", " - arm64: Fix KASAN random tag seed initialization", " - block: Fix lockdep warning in blk_mq_mark_tag_wait", " - wifi: ath12k: Add missing qmi_txn_cancel() calls", " - quota: Remove BUG_ON from dqget()", " - riscv: blacklist assembly symbols for kprobe", " - kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - media: drivers/media/dvb-core: copy user arrays safely", " - wifi: iwlwifi: mvm: avoid garbage iPN", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - gpio: sysfs: extend the critical section for unregistering sysfs devices", " - hrtimer: Select housekeeping CPU during migration", " - virtiofs: forbid newlines in tags", " - accel/habanalabs: fix debugfs files permissions", " - clocksource/drivers/arm_global_timer: Guard against division by zero", " - tick: Move got_idle_tick away from common flags", " - netlink: hold nlk->cb_mutex longer in __netlink_dump_start()", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - memory: stm32-fmc2-ebi: check regmap_read return value", " - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367", " - rxrpc: Don't pick values out of the wire header when setting up security", " - f2fs: stop checkpoint when get a out-of-bounds segment", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item()", " - btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves()", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: push errors up from add_async_extent()", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: send: handle unexpected inode in header process_recorded_refs()", " - btrfs: change BUG_ON to assertion in tree_move_down()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid", " - rtc: nct3018y: fix possible NULL dereference", " - net: hns3: add checking for vf id of mailbox", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time", " - platform/x86: lg-laptop: fix %s null argument warning", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - selftests/bpf: Fix a few tests for GCC related warnings.", " - Revert \"bpf, sockmap: Prevent lock inversion deadlock in map delete elem\"", " - nvme: use srcu for iterating namespace list", " - drm/amdgpu: fix dereference null return value for the function", " amdgpu_vm_pt_parent", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - nvme: fix namespace removal list", " - gtp: pull network headers in gtp_dev_xmit()", " - riscv: entry: always initialize regs->a0 to -ENOSYS", " - smb3: fix lock breakage for cached writes", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - selftests: memfd_secret: don't build memfd_secret test on unsupported arches", " - mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order", " fallback to order 0", " - btrfs: send: allow cloning non-aligned extent if it ends at i_size", " - drm/amd/amdgpu: command submission parser for JPEG", " - platform/surface: aggregator: Fix warning when controller is destroyed in", " probe", " - ALSA: hda/tas2781: Use correct endian conversion", " - Bluetooth: hci_core: Fix LE quote calculation", " - Bluetooth: SMP: Fix assumption of Central always being Initiator", " - net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and", " register injection", " - net: mscc: ocelot: fix QoS class for injected packets with \"ocelot-8021q\"", " - net: mscc: ocelot: serialize access to the injection/extraction groups", " - tc-testing: don't access non-existent variable on exception", " - selftests: udpgro: report error when receive failed", " - tcp/dccp: bypass empty buckets in inet_twsk_purge()", " - tcp/dccp: do not care about families in inet_twsk_purge()", " - tcp: prevent concurrent execution of tcp_sk_exit_batch", " - net: mctp: test: Use correct skb for route input check", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Disable BH in nft_counter_offload_stats().", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - ip6_tunnel: Fix broken GRO", " - bonding: fix bond_ipsec_offload_ok return type", " - bonding: fix null pointer deref in bond_ipsec_offload_ok", " - bonding: fix xfrm real_dev null pointer dereference", " - bonding: fix xfrm state handling when clearing active slave", " - ice: fix page reuse when PAGE_SIZE is over 8k", " - ice: fix ICE_LAST_OFFSET formula", " - ice: fix truesize operations for PAGE_SIZE >= 8192", " - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()", " - igb: cope with large MAX_SKB_FRAGS", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - udp: fix receiving fraglist GSO packets", " - ipv6: fix possible UAF in ip6_finish_output2()", " - ipv6: prevent possible UAF in ip6_xmit()", " - bnxt_en: Fix double DMA unmapping for XDP_REDIRECT", " - netfilter: flowtable: validate vlan header", " - octeontx2-af: Fix CPT AF register offset calculation", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - net: ovs: fix ovs_drop_reasons error", " - drm/msm/dpu: don't play tricks with debug macros", " - drm/msm/dp: fix the max supported bpp logic", " - drm/msm/dpu: split dpu_encoder_wait_for_event into two functions", " - drm/msm/dpu: capture snapshot on the first commit_done timeout", " - drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()", " - drm/msm/dp: reset the link phy params before link training", " - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails", " - drm/msm/dpu: take plane rotation into account for wide planes", " - drm/msm: fix the highest_bank_bit for sc7180", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - scsi: core: Fix the return value of scsi_logical_block_count()", " - ksmbd: the buffer of smb2 query dir response has at least 1 byte", " - drm/amdgpu: Validate TA binary size", " - net: dsa: microchip: fix PTP config failure when using multiple ports", " - MIPS: Loongson64: Set timer mode in cpu-probe", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - Input: i8042 - add forcenorestore quirk to leave controller untouched even", " on s3", " - Input: i8042 - use new forcenorestore quirk to replace old buggy quirk", " combination", " - cxgb4: add forgotten u64 ivlan cast before shift", " - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3", " - mmc: mtk-sd: receive cmd8 data when hs400 tuning fail", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - smb3: fix broken cached reads when posix locks", " - pmdomain: imx: scu-pd: Remove duplicated clocks", " - pmdomain: imx: wait SSAR when i.MX93 power domain on", " - nouveau/firmware: use dma non-coherent allocator", " - mptcp: pm: re-using ID of unused removed ADD_ADDR", " - mptcp: pm: re-using ID of unused removed subflows", " - mptcp: pm: re-using ID of unused flushed subflows", " - mptcp: pm: remove mptcp_pm_remove_subflow()", " - mptcp: pm: only mark 'subflow' endp as available", " - mptcp: pm: only decrement add_addr_accepted for MPJ req", " - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR", " - mptcp: pm: only in-kernel cannot have entries with ID 0", " - mptcp: pm: fullmesh: select the right ID later", " - mptcp: pm: avoid possible UaF when selecting endp", " - selftests: mptcp: join: validate fullmesh endp on 1st sf", " - selftests: mptcp: join: restrict fullmesh endp on 1st sf", " - selftests: mptcp: join: check re-using ID of closed subflow", " - tcp: do not export tcp_twsk_purge()", " - drm/msm/mdss: specify cfg bandwidth for SDM670", " - drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels", " - igc: Fix qbv tx latency by setting gtxoffset", " - ALSA: timer: Relax start tick time check for slave timer elements", " - bpf: Fix a kernel verifier crash in stacksafe()", " - selftests/bpf: Add a test to verify previous stacksafe() fix", " - Revert \"s390/dasd: Establish DMA alignment\"", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - Revert \"serial: 8250_omap: Set the console genpd always on if no console", " suspend\"", " - usb: misc: ljca: Add Lunar Lake ljca GPIO HID to ljca_gpio_hids[]", " - usb: xhci: Check for xhci->interrupters being allocated in", " xhci_mem_clearup()", " - vfs: Don't evict inode under the inode lru traversing context", " - tracing: Return from tracing_buffers_read() if the file has been closed", " - mm: fix endless reclaim on machines with unaccepted memory", " - fs/netfs/fscache_cookie: add missing \"n_accesses\" check", " - mm/numa: no task_numa_fault() call if PMD is changed", " - mm/numa: no task_numa_fault() call if PTE is changed", " - btrfs: check delayed refs when we're checking if a ref exists", " - drm/amd/display: Adjust cursor position", " - drm/amd/display: fix s2idle entry for DCN3.5+", " - drm/amd/display: Enable otg synchronization logic for DCN321", " - drm/amd/display: fix cursor offset on rotation 180", " - netfs: Fault in smaller chunks for non-large folio mappings", " - libfs: fix infinite directory reads for offset dir", " - kallsyms: Avoid weak references for kallsyms symbols", " - kbuild: avoid unneeded kallsyms step 3", " - kbuild: refactor variables in scripts/link-vmlinux.sh", " - kbuild: remove PROVIDE() for kallsyms symbols", " - kallsyms: get rid of code for absolute kallsyms", " - [Config] Remove CONFIG_KALLSYMS_BASE_RELATIVE", " - kallsyms: Do not cleanup .llvm. suffix before sorting symbols", " - bpf: Replace deprecated strncpy with strscpy", " - kallsyms: replace deprecated strncpy with strscpy", " - kallsyms: rework symbol lookup return codes", " - kallsyms: Match symbols exactly with CONFIG_LTO_CLANG", " - drm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()`", " - drm/amd/display: Don't register panel_power_savings on OLED panels", " - wifi: ath12k: use 128 bytes aligned iova in transmit path for WCN7850", " - kbuild: merge temporary vmlinux for BTF and kallsyms", " - kbuild: avoid scripts/kallsyms parsing /dev/null", " - Bluetooth: HCI: Invert LE State quirk to be opt-out rather then opt-in", " - net/mlx5: Fix IPsec RoCE MPV trace call", " - selftests: udpgro: no need to load xdp for gro", " - ice: use internal pf id instead of function number", " - drm/msm/dpu: limit QCM2290 to RGB formats only", " - drm/msm/dpu: relax YUV requirements", " - spi: spi-cadence-quadspi: Fix OSPI NOR failures during system resume", " - drm/xe/display: stop calling domains_driver_remove twice", " - drm/xe: Fix opregion leak", " - drm/xe/mmio: move mmio_fini over to devm", " - drm/xe: reset mmio mappings with devm", " - drm/xe: Fix tile fini sequence", " - drm/xe: Fix missing workqueue destroy in xe_gt_pagefault", " - drm/xe: Free job before xe_exec_queue_put", " - thermal/debugfs: Fix the NULL vs IS_ERR() confusion in debugfs_create_dir()", " - nvme: move stopping keep-alive into nvme_uninit_ctrl()", " - drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1", " - s390/ap: Refine AP bus bindings complete processing", " - net: ngbe: Fix phy mode set to external phy", " - iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace()", " - cgroup/cpuset: fix panic caused by partcmd_update", " - cgroup/cpuset: Clear effective_xcpus on cpus_allowed clearing only if", " cpus.exclusive not set", " - of: Introduce for_each_*_child_of_node_scoped() to automate of_node_put()", " handling", " - thermal: of: Fix OF node leak in thermal_of_trips_init() error path", " - thermal: of: Fix OF node leak in thermal_of_zone_register()", " - thermal: of: Fix OF node leak in of_thermal_zone_find() error paths", " - Upstream stable to v6.6.48, v6.10.7", " * Unable to list directories using CIFS on 6.8 kernel (LP: #2082423) // Noble", " update: upstream stable patchset 2024-10-09 (LP: #2084005)", " - smb: client: ignore unhandled reparse tags", " * CVE-2024-46759", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " * CVE-2024-46758", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " * CVE-2024-46756", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " * CVE-2024-46738", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " * CVE-2024-46722", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " * LXD fan bridge causes blocked tasks (LP: #2064176)", " - SAUCE: fan: release rcu_read_lock on skb discard path", " - SAUCE: fan: fix racy device stat update", " * x86/CPU/AMD: Add models 0x10-0x1f to the Zen5 range (LP: #2081863)", " - x86/CPU/AMD: Add models 0x60-0x6f to the Zen5 range", " * UBSAN: array-index-out-of-bounds in module mt76 (LP: #2081785)", " - wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc", " * The system hangs after resume with thunderbolt monitor(AMD GPU [1002:1900])", " (LP: #2083182)", " - SAUCE: drm/amd/display: Fix system hang while resume with TBT monitor", " * [SRU] GPU: support additional device ids for DG2 driver (LP: #2083701)", " - drm/i915: Add new PCI IDs to DG2 platform in driver", " * [SRU]Intel Arrow Lake IBECC feature backport request for ubuntu 22.04.5 and", " 24.04.1 server (LP: #2077861)", " - EDAC/igen6: Add Intel Arrow Lake-U/H SoCs support", " * Noble update: upstream stable patchset 2024-10-07 (LP: #2083794)", " - ASoC: topology: Clean up route loading", " - ASoC: topology: Fix route memory corruption", " - LoongArch: Define __ARCH_WANT_NEW_STAT in unistd.h", " - sunrpc: don't change ->sv_stats if it doesn't exist", " - nfsd: stop setting ->pg_stats for unused stats", " - sunrpc: pass in the sv_stats struct through svc_create_pooled", " - sunrpc: remove ->pg_stats from svc_program", " - nfsd: remove nfsd_stats, make th_cnt a global counter", " - nfsd: make svc_stat per-network namespace instead of global", " - mm: gup: stop abusing try_grab_folio", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - genirq/cpuhotplug: Skip suspended interrupts when restoring affinity", " - genirq/cpuhotplug: Retry with cpu_online_mask when migration fails", " - quota: Detect loops in quota tree", " - bpf: Replace bpf_lpm_trie_key 0-length array with flexible array", " - fs: Annotate struct file_handle with __counted_by() and use struct_size()", " - mISDN: fix MISDN_TIME_STAMP handling", " - mm/page_table_check: support userfault wr-protect entries", " - bpf, net: Use DEV_STAT_INC()", " - f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC", " - f2fs: fix to cover read extent cache access with lock", " - fou: remove warn in gue_gro_receive on unsupported protocol", " - jfs: fix null ptr deref in dtInsertEntry", " - jfs: Fix shift-out-of-bounds in dbDiscardAG", " - fs/ntfs3: Do copy_to_user out of run_lock", " - ALSA: usb: Fix UBSAN warning in parse_audio_unit()", " - binfmt_flat: Fix corruption when not offsetting data start", " - mm/debug_vm_pgtable: drop RANDOM_ORVALUE trick", " - KVM: arm64: Don't defer TLB invalidation when zapping table entries", " - KVM: arm64: Don't pass a TLBI level hint when zapping table entries", " - drm/amd/display: Defer handling mst up request in resume", " - drm/amd/display: Guard cursor idle reallow by DC debug option", " - drm/amd/display: Separate setting and programming of cursor", " - drm/amd/display: Prevent IPX From Link Detect and Set Mode", " - ASoC: cs35l56: Patch CS35L56_IRQ1_MASK_18 to the default value", " - platform/x86/amd/pmf: Fix to Update HPD Data When ALS is Disabled", " - platform/x86: ideapad-laptop: introduce a generic notification chain", " - platform/x86: ideapad-laptop: move ymc_trigger_ec from lenovo-ymc", " - platform/x86: ideapad-laptop: add a mutex to synchronize VPC commands", " - drm/amd/display: Solve mst monitors blank out problem after resume", " - drm/amdgpu/display: Fix null pointer dereference in", " dc_stream_program_cursor_position", " - Upstream stable to v6.6.47, v6.10.6", " * Noble update: upstream stable patchset 2024-10-04 (LP: #2083656)", " - irqchip/mbigen: Fix mbigen node address layout", " - platform/x86/intel/ifs: Initialize union ifs_status to zero", " - jump_label: Fix the fix, brown paper bags galore", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - x86/mm: Fix pti_clone_entry_text() for i386", " - smb: client: move most of reparse point handling code to common file", " - smb: client: set correct d_type for reparse DFS/DFSR and mount point", " - smb: client: handle lack of FSCTL_GET_REPARSE_POINT support", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: bridge: mcast: wait for previous gc cycles when removing port", " - net: linkwatch: use system_unbound_wq", " - ice: Fix reset handler", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv", " monitor", " - net/smc: add the max value of fallback reason count", " - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()", " - l2tp: fix lockdep splat", " - net: bcmgenet: Properly overlay PHY and MAC Wake-on-LAN capabilities", " - net: fec: Stop PPS on driver remove", " - gpio: prevent potential speculation leaks in gpio_device_get_desc()", " - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu", " - rcutorture: Fix rcu_torture_fwd_cb_cr() data race", " - md: do not delete safemode_timer in mddev_suspend", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - block: change rq_integrity_vec to respect the iterator", " - rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - xen: privcmd: Switch from mutex to spinlock for irqfds", " - wifi: nl80211: disallow setting special AP channel widths", " - wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup()", " - net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - af_unix: Don't retry after unix_state_lock_nested() in", " unix_stream_connect().", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index", " erratum", " - can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of", " mcp2518fd", " - net: stmmac: qcom-ethqos: enable SGMII loopback during DMA reset on", " sa8775p-ride-r3", " - btrfs: do not clear page dirty inside extent_write_locked_range()", " - btrfs: fix invalid mapping of extent xarray state", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver", " unloading", " - drm/amd/display: Add delay to improve LTTPR UHBR interop", " - drm/amdgpu: fix potential resource leak warning", " - drm/amdgpu/pm: Fix the param type of set_power_profile_mode", " - drm/amdgpu/pm: Fix the null pointer dereference for smu7", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules", " - drm/admgpu: fix dereferencing null pointer context", " - drm/amdgpu: Add lock around VF RLCG interface", " - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr", " - media: amphion: Remove lock in s_ctrl callback", " - drm/amd/display: Add null checker before passing variables", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - media: xc2028: avoid use-after-free in load_firmware_cb()", " - ext4: fix uninitialized variable in ext4_inlinedir_to_tree", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - profiling: remove profile=sleep support", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to", " 'raw_spinlock_t'", " - irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq()", " - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime", " - net: drop bad gso csum_start and offset in virtio_net_hdr", " - arm64: Add Neoverse-V2 part", " - arm64: barrier: Restore spec_bar() macro", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Improve handling of stuck alerts", " - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask", " - ASoC: codecs: wsa881x: Correct Soundwire ports mask", " - ASoC: codecs: wsa883x: parse port-mapping information", " - ASoC: codecs: wsa883x: Correct Soundwire ports mask", " - ASoC: codecs: wsa884x: parse port-mapping information", " - ASoC: codecs: wsa884x: Correct Soundwire ports mask", " - ASoC: sti: add missing probe entry for player and reader", " - spi: spidev: Add missing spi_device_id for bh2228fv", " - ASoC: SOF: Remove libraries from topology lookups", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - kprobes: Fix to check symbol prefixes correctly", " - i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume", " - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - ALSA: usb-audio: Re-add ScratchAmp quirk entries", " - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT", " - cifs: cifs_inval_name_dfs_link_error: correct the check for fullpath", " - module: warn about excessively long module waits", " - module: make waiting for a concurrent module loader interruptible", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - drm/amd/display: Skip Recompute DSC Params if no Stream on Link", " - drm/amdgpu: Forward soft recovery errors to userspace", " - drm/i915/gem: Adjust vma offset for framebuffer mmap offset", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - usb: gadget: midi2: Fix the response for FB info with block 0xff", " - usb: gadget: u_serial: Set start_delayed during suspend", " - usb: gadget: u_audio: Check return codes from usb_ep_enable and", " config_ep_by_speed.", " - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES", " - scsi: ufs: core: Do not set link to OFF state while waking up from", " hibernation", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler", " - ntp: Clamp maxerror and esterror to operating range", " - clocksource: Scale the watchdog read retries automatically", " - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()", " - driver core: Fix uevent_show() vs driver detach race", " - tracefs: Fix inode allocation", " - tracefs: Use generic inode RCU for synchronizing freeing", " - ntp: Safeguard against time_constant overflow", " - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()", " - serial: core: check uartclk for zero to avoid divide by zero", " - memcg: protect concurrent access to mem_cgroup_idr", " - parisc: fix unaligned accesses in BPF", " - parisc: fix a possible DMA corruption", " - ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx", " - kcov: properly check for softirq context", " - irqchip/xilinx: Fix shift out of bounds", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - LoongArch: Enable general EFI poweroff method", " - power: supply: qcom_battmgr: return EAGAIN when firmware service is not up", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - padata: Fix possible divide-by-0 panic in padata_mt_helper()", " - smb3: fix setting SecurityFlags when encryption is required", " - eventfs: Don't return NULL in eventfs_create_dir()", " - eventfs: Use SRCU for freeing eventfs_inodes", " - selftests: mm: add s390 to ARCH check", " - btrfs: avoid using fixed char array size for tree names", " - x86/paravirt: Fix incorrect virt spinlock setting on bare metal", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - sched/smt: Introduce sched_smt_present_inc/dec() helper", " - sched/smt: Fix unbalance sched_smt_present dec/inc", " - sched/core: Introduce sched_set_rq_on/offline() helper", " - sched/core: Fix unbalance set_rq_online/offline() in sched_cpu_deactivate()", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/dp_mst: Skip CSN if topology probing is not done yet", " - drm/lima: Mark simple_ondemand governor as softdep", " - drm/mgag200: Set DDC timeout in milliseconds", " - drm/mgag200: Bind I2C lifetime to DRM device", " - drm/radeon: Remove __counted_by from StateArray.states[]", " - mptcp: fully established after ADD_ADDR echo on MPJ", " - mptcp: pm: deny endp with signal + subflow + port", " - block: use the right type for stub rq_integrity_vec()", " - btrfs: fix corruption after buffer fault in during direct IO append write", " - tools headers arm64: Sync arm64's cputype.h with the kernel sources", " - mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio()", " - xfs: fix log recovery buffer allocation for the legacy h_size fixup", " - mptcp: pm: reduce indentation blocks", " - mptcp: pm: don't try to create sf if alloc failed", " - mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set", " - selftests: mptcp: join: ability to invert ADD_ADDR check", " - selftests: mptcp: join: test both signal & subflow", " - Revert \"selftests: mptcp: simult flows: mark 'unbalanced' tests as flaky\"", " - btrfs: fix double inode unlock for direct IO sync writes", " - perf/x86/intel/cstate: Switch to new Intel CPU model defines", " - perf/x86/intel/cstate: Add Arrowlake support", " - perf/x86/intel/cstate: Add Lunarlake support", " - perf/x86/intel/cstate: Add pkg C2 residency counter for Sierra Forest", " - platform/x86: intel-vbtn: Protect ACPI notify handler against recursion", " - perf/x86/amd: Use try_cmpxchg() in events/amd/{un,}core.c", " - perf/x86/intel: Support the PEBS event mask", " - perf/x86: Support counter mask", " - perf/x86: Fix smp_processor_id()-in-preemptible warnings", " - virtio-net: unbreak vq resizing when coalescing is not negotiated", " - net: dsa: microchip: Fix Wake-on-LAN check to not return an error", " - net: dsa: microchip: disable EEE for KSZ8567/KSZ9567/KSZ9896/KSZ9897.", " - regmap: kunit: Use a KUnit action to call regmap_exit()", " - regmap: kunit: Replace a kmalloc/kfree() pair with KUnit-managed alloc", " - regmap: kunit: Fix memory leaks in gen_regmap() and gen_raw_regmap()", " - debugobjects: Annotate racy debug variables", " - nvme: apple: fix device reference counting", " - cpufreq: amd-pstate: Allow users to write 'default' EPP string", " - cpufreq: amd-pstate: auto-load pstate driver by default", " - soc: qcom: icc-bwmon: Allow for interrupts to be shared across instances", " - ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MU", " - ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MJ", " - thermal: intel: hfi: Give HFI instances package scope", " - wifi: ath12k: fix race due to setting ATH12K_FLAG_EXT_IRQ_ENABLED too early", " - wifi: rtlwifi: handle return value of usb init TX/RX", " - wifi: rtw89: pci: fix RX tag race condition resulting in wrong RX length", " - wifi: mac80211: fix NULL dereference at band check in starting tx ba session", " - bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory", " accesses", " - mlxsw: pci: Lock configuration space of upstream bridge during reset", " - btrfs: do not BUG_ON() when freeing tree block after error", " - btrfs: reduce nesting for extent processing at btrfs_lookup_extent_info()", " - btrfs: fix data race when accessing the last_trans field of a root", " - drm/xe/preempt_fence: enlarge the fence critical section", " - drm/amd/display: Handle HPD_IRQ for internal link", " - drm/amd/amdkfd: Fix a resource leak in svm_range_validate_and_map()", " - drm/xe/xe_guc_submit: Fix exec queue stop race condition", " - drm/amd/display: Add null checks for 'stream' and 'plane' before", " dereferencing", " - drm/amd/display: Wake DMCUB before sending a command for replay feature", " - drm/amd/display: reduce ODM slice count to initial new dc state only when", " needed", " - of: Add cleanup.h based auto release via __free(device_node) markings", " - media: i2c: ov5647: replacing of_node_put with __free(device_node)", " - drm/amd/display: Fix null pointer deref in dcn20_resource.c", " - ext4: sanity check for NULL pointer after ext4_force_shutdown", " - mm, slub: do not call do_slab_free for kfence object", " - ASoC: cs35l56: Revert support for dual-ownership of ASP registers", " - drm/atomic: allow no-op FB_ID updates for async flips", " - drm/amd/display: Replace dm_execute_dmub_cmd with", " dc_wake_and_execute_dmub_cmd", " - drm/xe/rtp: Fix off-by-one when processing rules", " - drm/xe: Use dma_fence_chain_free in chain fence unused as a sync", " - drm/xe/hwmon: Fix PL1 disable flow in xe_hwmon_power_max_write", " - drm/xe: Move lrc snapshot capturing to xe_lrc.c", " - drm/xe: Minor cleanup in LRC handling", " - drm/test: fix the gem shmem test to map the sg table.", " - usb: typec: pd: no opencoding of FIELD_GET", " - usb: typec: fsa4480: Check if the chip is really there", " - PM: runtime: Simplify pm_runtime_get_if_active() usage", " - scsi: ufs: core: Fix deadlock during RTC update", " - serial: sc16is7xx: fix invalid FIFO access with special register set", " - tracing: Have format file honor EVENT_FILE_FL_FREED", " - mm: list_lru: fix UAF for memory cgroup", " - net/tcp: Disable TCP-AO static key after RCU grace period", " - Revert \"drm/amd/display: Handle HPD_IRQ for internal link\"", " - idpf: fix memleak in vport interrupt configuration", " - drm/amd/display: Add null check in resource_log_pipe_topology_update", " - Upstream stable to v6.6.46, v6.10.5", " * Noble update: upstream stable patchset 2024-10-02 (LP: #2083488)", " - sysctl: allow change system v ipc sysctls inside ipc namespace", " - sysctl: allow to change limits for posix messages queues", " - sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table)", " - ext4: factor out a common helper to query extent map", " - ext4: check the extent status again before inserting delalloc block", " - leds: trigger: Store brightness set by led_trigger_event()", " - leds: trigger: Call synchronize_rcu() before calling trig->activate()", " - KVM: VMX: Move posted interrupt descriptor out of VMX code", " - fbdev/vesafb: Replace references to global screen_info by local pointer", " - video: Add helpers for decoding screen_info", " - [Config] Update CONFIG_SCREEN_INFO", " - video: Provide screen_info_get_pci_dev() to find screen_info's PCI device", " - firmware/sysfb: Update screen_info for relocated EFI framebuffers", " - mm: page_alloc: control latency caused by zone PCP draining", " - mm/page_alloc: fix pcp->count race between drain_pages_zone() vs", " __rmqueue_pcplist()", " - f2fs: fix to avoid use SSR allocate when do defragment", " - f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid", " - dmaengine: fsl-edma: add address for channel mux register in fsl_edma_chan", " - dmaengine: fsl-edma: add i.MX8ULP edma support", " - perf: imx_perf: fix counter start and config sequence", " - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a", " - MIPS: dts: loongson: Fix liointc IRQ polarity", " - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt", " - ARM: 9406/1: Fix callchain_trace() return value", " - HID: amd_sfh: Move sensor discovery before HID device initialization", " - perf tool: fix dereferencing NULL al->maps", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - drm/vmwgfx: Trigger a modeset when the screen moves", " - sched: act_ct: take care of padding in struct zones_ht_key", " - wifi: cfg80211: fix reporting failed MLO links status with", " cfg80211_connect_done", " - net: phy: realtek: add support for RTL8366S Gigabit PHY", " - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode", " - Bluetooth: btintel: Fail setup on error", " - Bluetooth: hci_sync: Fix suspending with wrong filter policy", " - tcp: annotate data-races around tp->window_clamp", " - tcp: Adjust clamping window for applications specifying SO_RCVBUF", " - net: axienet: start napi before enabling Rx/Tx", " - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in", " rtnl_dellink().", " - i915/perf: Remove code to update PWR_CLK_STATE for gen12", " - ice: respect netif readiness in AF_XDP ZC related ndo's", " - ice: don't busy wait for Rx queue disable in ice_qp_dis()", " - ice: replace synchronize_rcu with synchronize_net", " - ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog", " - drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro", " - net: mvpp2: Don't re-use loop iterator", " - net: phy: micrel: Fix the KSZ9131 MDI-X status issue", " - ALSA: hda: Conditionally use snooping for AMD HDMI", " - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().", " - netfilter: iptables: Fix potential null-ptr-deref in", " ip6table_nat_table_init().", " - net/mlx5: Always drain health in shutdown callback", " - net/mlx5: Fix error handling in irq_pool_request_irq", " - net/mlx5: Lag, don't use the hardcoded value of the first port", " - net/mlx5: Fix missing lock on sync reset reload", " - net/mlx5e: Require mlx5 tc classifier action support for IPsec prio", " capability", " - net/mlx5e: Fix CT entry update leaks of modify header context", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - igc: Fix double reset adapter triggered from a single taprio cmd", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - perf: riscv: Fix selecting counters in legacy mode", " - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()", " - riscv: Fix linear mapping checks for non-contiguous memory regions", " - arm64: jump_label: Ensure patched jump_labels are visible to all CPUs", " - rust: SHADOW_CALL_STACK is incompatible with Rust", " - platform/chrome: cros_ec_proto: Lock device when updating MKBP version", " - HID: wacom: Modify pen IDs", " - btrfs: zoned: fix zone_unusable accounting on making block group read-write", " again", " - btrfs: do not subtract delalloc from avail bytes", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - mptcp: sched: check both directions for backup", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G", " - ALSA: seq: ump: Optimize conversions from SysEx to UMP", " - Revert \"ALSA: firewire-lib: obsolete workqueue for period update\"", " - Revert \"ALSA: firewire-lib: operate for period elapse event in process", " context\"", " - drm/vmwgfx: Fix a deadlock in dma buf fence polling", " - drm/virtio: Fix type of dma-fence context variable", " - drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll()", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY", " - mptcp: fix user-space PM announced address accounting", " - mptcp: distinguish rcv vs sent backup flag in requests", " - mptcp: fix NL PM announced address accounting", " - mptcp: mib: count MPJ with backup flag", " - mptcp: fix bad RCVPRUNED mib accounting", " - mptcp: pm: only set request_bkup flag when sending MP_PRIO", " - mptcp: fix duplicate data handling", " - selftests: mptcp: always close input's FD if opened", " - selftests: mptcp: join: validate backup in MPJ", " - selftests: mptcp: join: check backup support in signal endp", " - mm/huge_memory: mark racy access onhuge_anon_orders_always", " - mm: fix khugepaged activation policy", " - x86/cpu/vfm: Add/initialize x86_vfm field to struct cpuinfo_x86", " - perf/x86/intel: Switch to new Intel CPU model defines", " - perf/x86/intel: Add a distinct name for Granite Rapids", " - drm/gpuvm: fix missing dependency to DRM_EXEC", " - netlink: specs: correct the spec of ethtool", " - ethtool: rss: echo the context number back", " - wifi: cfg80211: correct S1G beacon length calculation", " - ethtool: fix setting key and resetting indir at once", " - ice: modify error handling when setting XSK pool in ndo_bpf", " - ice: toggle netif_carrier when setting up XSK pool", " - ice: improve updating ice_{t,r}x_ring::xsk_pool", " - ice: xsk: fix txq interrupt mapping", " - drm/atomic: Allow userspace to use explicit sync with atomic async flips", " - drm/atomic: Allow userspace to use damage clips with async flips", " - riscv/purgatory: align riscv_kernel_entry", " - perf arch events: Fix duplicate RISC-V SBI firmware event name", " - RISC-V: Enable the IPI before workqueue_online_cpu()", " - ceph: force sending a cap update msg back to MDS for revoke op", " - drm/vmwgfx: Remove unused code", " - drm/vmwgfx: Fix handling of dumb buffers", " - drm/v3d: Prevent out of bounds access in performance query extensions", " - drm/v3d: Fix potential memory leak in the timestamp extension", " - drm/v3d: Fix potential memory leak in the performance extension", " - drm/v3d: Validate passed in drm syncobj handles in the timestamp extension", " - drm/v3d: Validate passed in drm syncobj handles in the performance extension", " - nouveau: set placement to original placement on uvmm validate.", " - wifi: ath12k: fix soft lockup on suspend", " - mptcp: pm: fix backup support in signal endpoints", " - selftests: mptcp: fix error path", " - Upstream stable to v6.6.45, v6.10.4", " * [SRU] Fix AST DP output after resume (LP: #2083022) // Noble update:", " upstream stable patchset 2024-10-02 (LP: #2083488)", " - drm/ast: astdp: Wake up during connector status detection", " - drm/ast: Fix black screen after resume", " * [SRU]Fail to locate the LED of NVME disk behind Intel VMD (LP: #2077287) //", " Noble update: upstream stable patchset 2024-10-02 (LP: #2083488)", " - PCI: pciehp: Retain Power Indicator bits for userspace indicators", " * Noble update: upstream stable patchset 2024-09-30 (LP: #2083196)", " - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC", " - spi: spi-microchip-core: Fix the number of chip selects supported", " - spi: atmel-quadspi: Add missing check for clk_prepare", " - EDAC, i10nm: make skx_common.o a separate module", " - rcu/tasks: Fix stale task snaphot for Tasks Trace", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - ubd: refactor the interrupt handler", " - ubd: untagle discard vs write zeroes not support handling", " - block: initialize integrity buffer to zero before writing it to media", " - x86/kconfig: Add as-instr64 macro to properly evaluate AS_WRUSS", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - block: Call .limit_depth() after .hctx has been set", " - block/mq-deadline: Fix the tag reservation code", " - md: Don't wait for MD_RECOVERY_NEEDED for HOT_REMOVE_DISK ioctl", " - pwm: stm32: Always do lazy disabling", " - nvmet-auth: fix nvmet_auth hash error handling", " - drm/meson: fix canvas release in bind function", " - pwm: atmel-tcb: Fix race condition and convert to guards", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sc8180x: Correct PCIe slave ports", " - arm64: dts: qcom: sc8180x: add power-domain to UFS PHY", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: sm6115: add power-domain to UFS PHY", " - arm64: dts: qcom: sm6350: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8250: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8350: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8450: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996-xiaomi-common: drop excton from the USB PHY", " - arm64: dts: qcom: sdm850-lenovo-yoga-c630: fix IPA firmware path", " - arm64: dts: qcom: msm8998: enable adreno_smmu by default", " - soc: qcom: pmic_glink: Handle the return value of pmic_glink_init", " - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data()", " callers", " - arm64: dts: rockchip: Add sdmmc related properties on rk3308-rock-pi-s", " - arm64: dts: rockchip: Add pinctrl for UART0 to rk3308-rock-pi-s", " - arm64: dts: rockchip: Add mdio and ethernet-phy nodes to rk3308-rock-pi-s", " - arm64: dts: rockchip: Update WIFi/BT related nodes on rk3308-rock-pi-s", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: qcom: sa8775p: mark ethernet devices as DMA-coherent", " - soc: xilinx: rename cpu_number1 to dummy_cpu_number", " - ARM: dts: sunxi: remove duplicated entries in makefile", " - ARM: dts: stm32: Add arm,no-tick-in-suspend to STM32MP15xx STGEN timer", " - arm64: dts: qcom: qrb4210-rb2: make L9A always-on", " - cpufreq: ti-cpufreq: Handle deferred probe with dev_err_probe()", " - OPP: ti: Fix ti_opp_supply_probe wrong return values", " - memory: fsl_ifc: Make FSL_IFC config visible and selectable", " - arm64: dts: ti: k3-am62x: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am625-beagleplay: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62-verdin: Drop McASP AFIFOs", " - arm64: dts: qcom: qdu1000: Add secure qfprom node", " - soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove", " - soc: qcom: pdr: protect locator_addr with the main mutex", " - soc: qcom: pdr: fix parsing of domains lists", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - arm64: dts: amlogic: sm1: fix spdif compatibles", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt8195: Fix GPU thermal zone name for SVS", " - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property", " - arm64: dts: mediatek: mt8192-asurada: Add off-on-delay-us for", " pp3300_mipibrdg", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: mediatek: mt8183-kukui: Fix the value of `dlg,jack-det-rate`", " mismatch", " - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - arm64: dts: amlogic: add power domain to hdmitx", " - arm64: dts: amlogic: setup hdmi system clock", " - arm64: dts: rockchip: Drop invalid mic-in-differential on rk3568-rock-3a", " - arm64: dts: rockchip: Fix mic-in-differential usage on rk3566-roc-pc", " - arm64: dts: rockchip: Fix mic-in-differential usage on rk3568-evb1-v10", " - arm64: dts: renesas: r8a779a0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r8a779f0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r8a779g0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g043u: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g044: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g054: Add missing hypervisor virtual timer IRQ", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - arm64: dts: imx8mp: Fix pgc_mlmix location", " - arm64: dts: imx8mp: add HDMI power-domains", " - arm64: dts: imx8mp: Fix pgc vpu locations", " - x86/xen: Convert comma to semicolon", " - arm64: dts: rockchip: Add missing power-domains for rk356x vop_mmu", " - arm64: dts: rockchip: fix regulator name for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fix usb regulator for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fix pmu_io supply for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: remove unused usb2 nodes for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: disable display subsystem for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fixes PHY reset for Lunzn Fastrhino R68S", " - arm64: dts: qcom: sm6350: Add missing qcom,non-secure-domain property", " - cpufreq/amd-pstate: Fix the scaling_max_freq setting on shared memory CPPC", " systems", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - ARM: spitz: fix GPIO assignment for backlight", " - vmlinux.lds.h: catch .bss..L* sections into BSS\")", " - firmware: turris-mox-rwtm: Do not complete if there are no waiters", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - wifi: ath12k: Correct 6 GHz frequency value in rx status", " - wifi: ath12k: Fix tx completion ring (WBM2SW) setup failure", " - bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer", " - selftests/bpf: Fix prog numbers in test_sockmap", " - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP", " - wifi: ath12k: change DMA direction while mapping reinjected packets", " - wifi: ath12k: fix invalid memory access while processing fragmented packets", " - wifi: ath12k: fix firmware crash during reo reinject", " - wifi: ath11k: fix wrong definition of CE ring's base address", " - wifi: ath12k: fix wrong definition of CE ring's base address", " - tcp: add tcp_done_with_error() helper", " - tcp: fix race in tcp_write_err()", " - tcp: fix races in tcp_v[46]_err()", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - udf: Fix lock ordering in udf_evict_inode()", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors", " - perf/x86: Serialize set_attr_rdpmc()", " - jump_label: Fix concurrency issues in static_key_slow_dec()", " - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - udf: Fix bogus checksum computation in udf_rename()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - libbpf: Checking the btf_type kind when fixing variable offsets", " - xfrm: Fix unregister netdevice hang on hardware offload.", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - wifi: rtw89: 8852b: fix definition of KIP register number", " - wifi: rtl8xxxu: 8188f: Limit TX power index", " - xfrm: Export symbol xfrm_dev_state_delete.", " - bpftool: Mount bpffs when pinmaps path not under the bpffs", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - perf: Fix default aux_watermark calculation", " - perf/x86/intel/cstate: Fix Alderlake/Raptorlake/Meteorlake", " - wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()", " - xfrm: fix netdev reference count imbalance", " - xfrm: call xfrm_dev_policy_delete when kill policy", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - locking/rwsem: Add __always_inline annotation to __down_write_common() and", " inlined callers", " - selftests/bpf: Close fd in error path in drop_on_reuseport", " - selftests/bpf: Null checks for links in bpf_tcp_ca", " - selftests/bpf: Close obj in error path in xdp_adjust_tail", " - selftests/resctrl: Convert perror() to ksft_perror() or ksft_print_msg()", " - selftests/resctrl: Fix closing IMC fds on error and open-code R+W instead of", " loops", " - bpf: annotate BTF show functions with __printf", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - bpf: Eliminate remaining \"make W=1\" warnings in kernel/bpf/btf.o", " - bpf: Fix null pointer dereference in resolve_prog_type() for", " BPF_PROG_TYPE_EXT", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - Bluetooth: hci_bcm4377: Use correct unit for timeouts", " - Bluetooth: btintel: Refactor btintel_set_ppag()", " - Bluetooth: btnxpuart: Add handling for boot-signature timeout errors", " - xdp: fix invalid wait context of page_pool_destroy()", " - net: bridge: mst: Check vlan state for egress decision", " - drm/rockchip: vop2: Fix the port mux of VP2", " - drm/arm/komeda: Fix komeda probe failing if there are no links in the", " secondary pipeline", " - drm/amdkfd: Fix CU Masking for GFX 9.4.3", " - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_dcs_write_seq()", " - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_generic_write_seq()", " - drm/amd/pm: Fix aldebaran pcie speed reporting", " - drm/amdgpu: Fix memory range calculation", " - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit", " - drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1", " - drm/panel: himax-hx8394: Handle errors from mipi_dsi_dcs_set_display_on()", " better", " - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before", " regulators", " - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()", " - drm/bridge: Fixed a DP link training bug", " - drm/bridge: it6505: fix hibernate to resume no display issue", " - media: pci: ivtv: Add check for DMA map result", " - media: imon: Fix race getting ictx->lock", " - media: i2c: Fix imx412 exposure control", " - media: v4l: async: Fix NULL pointer dereference in adding ancillary links", " - s390/mm: Convert make_page_secure to use a folio", " - s390/mm: Convert gmap_make_secure to use a folio", " - s390/uv: Don't call folio_wait_writeback() without a folio reference", " - media: mediatek: vcodec: Handle invalid decoder vsi", " - x86/shstk: Make return uprobe work with shadow stack", " - ipmi: ssif_bmc: prevent integer overflow on 32bit systems", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: i2c: imx219: fix msr access command sequence", " - media: uvcvideo: Disable autosuspend for Insta360 Link", " - media: uvcvideo: Quirk for invalid dev_sof in Logitech C922", " - media: uvcvideo: Add quirk for invalid dev_sof in Logitech C920", " - media: uvcvideo: Override default flags", " - drm: zynqmp_dpsub: Fix an error handling path in zynqmp_dpsub_probe()", " - drm: zynqmp_kms: Fix AUX bus not getting unregistered", " - media: rcar-vin: Fix YUYV8_1X16 handling for CSI-2", " - media: rcar-csi2: Disable runtime_pm in probe error", " - media: rcar-csi2: Cleanup subdevice in remove()", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - drm/mediatek: Add missing plane settings when async update", " - drm/mediatek: Use 8-bit alpha in ETHDR", " - drm/mediatek: Fix XRGB setting error in OVL", " - drm/mediatek: Fix XRGB setting error in Mixer", " - drm/mediatek: Fix destination alpha error in OVL", " - drm/mediatek: Turn off the layers with zero width or height", " - drm/mediatek: Add OVL compatible name for MT8195", " - media: imx-jpeg: Drop initial source change event if capture has been setup", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - drm/msm/dsi: set VIDEO_COMPRESSION_MODE_CTRL_WC", " - drm/msm/dpu: drop validity checks for clear_pending_flush() ctl op", " - perf test: Make test_arm_callgraph_fp.sh more robust", " - perf pmus: Fixes always false when compare duplicates aliases", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - Revert \"leds: led-core: Fix refcount leak in of_led_get()\"", " - drm/mediatek: Remove less-than-zero comparison of an unsigned value", " - ext4: fix infinite loop when replaying fast_commit", " - drm/mediatek/dp: switch to ->edid_read callback", " - drm/mediatek/dp: Fix spurious kfree()", " - media: venus: flush all buffers in output plane streamoff", " - perf intel-pt: Fix aux_watermark calculation for 64-bit size", " - perf intel-pt: Fix exclude_guest setting", " - mfd: rsmu: Split core code into separate module", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - xprtrdma: Fix rpcrdma_reqs_reset()", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server", " - ext4: don't track ranges in fast_commit if inode has inlined data", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - leds: flash: leds-qcom-flash: Test the correct variable in init", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - iio: Fix the sorting functionality in iio_gts_build_avail_time_table", " - PCI: Fix resource double counting on remove & rescan", " - PCI: keystone: Relocate ks_pcie_set/clear_dbi_mode()", " - PCI: keystone: Don't enable BAR 0 for AM654x", " - PCI: keystone: Fix NULL pointer dereference in case of DT error in", " ks_pcie_setup_rc_app_regs()", " - PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()", " - scsi: ufs: mcq: Fix missing argument 'hba' in MCQ_OPR_OFFSET_n", " - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock", " - clk: qcom: camcc-sc7280: Add parent dependency to all camera GDSCs", " - iio: frequency: adrf6780: rm clk provider include", " - coresight: Fix ref leak when of_coresight_parse_endpoint() fails", " - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE", " - ASoc: tas2781: Enable RCA-based playback without DSP firmware download", " - ASoC: cs35l56: Accept values greater than 0 as IRQ numbers", " - usb: typec-mux: nb7vpq904m: unregister typec switch on probe error and", " remove", " - RDMA/cache: Release GID table even if leak is detected", " - clk: qcom: gpucc-sm8350: Park RCG's clk source at XO during disable", " - clk: qcom: gcc-sa8775p: Update the GDSC wait_val fields and flags", " - clk: qcom: gpucc-sa8775p: Remove the CLK_IS_CRITICAL and ALWAYS_ON flags", " - clk: qcom: gpucc-sa8775p: Park RCG's clk source at XO during disable", " - clk: qcom: gpucc-sa8775p: Update wait_val fields for GPU GDSC's", " - interconnect: qcom: qcm2290: Fix mas_snoc_bimc RPM master ID", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/mlx5: Use sq timestamp as QP timestamp when RoCE is disabled", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: qcom: Adjust issues in case of DT error in", " asoc_qcom_lpass_cpu_platform_probe()", " - scsi: lpfc: Fix a possible null pointer dereference", " - hwrng: core - Fix wrong quality calculation at hw rng registration", " - powerpc/prom: Add CPU info to hardware description string later", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - ASoC: amd: Adjust error handling in case of absent codec device", " - PCI: endpoint: Clean up error handling in vpci_scan_bus()", " - PCI: endpoint: Fix error handling in epf_ntb_epc_cleanup()", " - vhost/vsock: always initialize seqpacket_allow", " - net: missing check virtio", " - nvmem: rockchip-otp: set add_legacy_fixed_of_cells config option", " - crypto: qat - extend scope of lock in adf_cfg_add_key_value_param()", " - clk: qcom: kpss-xcc: Return of_clk_add_hw_provider to transfer the error", " - clk: qcom: Park shared RCGs upon registration", " - clk: en7523: fix rate divider for slic and spi clocks", " - MIPS: Octeron: remove source file executable bit", " - PCI: qcom-ep: Disable resources unconditionally during PERST# assert", " - PCI: dwc: Fix index 0 incorrectly being interpreted as a free ATU slot", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - RDMA/hns: Check atomic wr length", " - RDMA/hns: Fix unmatch exception handling when init eq table fails", " - RDMA/hns: Fix missing pagesize and alignment check in FRMR", " - RDMA/hns: Fix shift-out-bounds when max_inline_data is 0", " - RDMA/hns: Fix undifined behavior caused by invalid max_sge", " - RDMA/hns: Fix insufficient extend DB for VFs.", " - iommu/vt-d: Fix identity map bounds in si_domain_init()", " - RDMA/core: Remove NULL check before dev_{put, hold}", " - RDMA: Fix netdev tracker in ib_device_set_netdev", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - netfilter: nf_set_pipapo: fix initial map fill", " - ipvs: properly dereference pe in ip_vs_add_service", " - gve: Fix XDP TX completion handling when counters overflow", " - net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE", " - ipv4: Fix incorrect TOS in route get reply", " - ipv4: Fix incorrect TOS in fibmatch route get reply", " - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports", " - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports", " - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT", " - fs/ntfs3: Fix transform resident to nonresident for compressed files", " - fs/ntfs3: Deny getting attr data block in compressed frame", " - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting", " - fs/ntfs3: Fix getting file type", " - fs/ntfs3: Add missing .dirty_folio in address_space_operations", " - pinctrl: rockchip: update rk3308 iomux routes", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/ntfs3: Replace inode_trylock with inode_lock", " - fs/ntfs3: Correct undo if ntfs_create_inode failed", " - fs/ntfs3: Drop stray '\\' (backslash) in formatting string", " - fs/ntfs3: Fix field-spanning write in INDEX_HDR", " - pinctrl: renesas: r8a779g0: Fix CANFD5 suffix", " - pinctrl: renesas: r8a779g0: Fix FXR_TXEN[AB] suffixes", " - pinctrl: renesas: r8a779g0: Fix (H)SCIF1 suffixes", " - pinctrl: renesas: r8a779g0: Fix (H)SCIF3 suffixes", " - pinctrl: renesas: r8a779g0: Fix IRQ suffixes", " - pinctrl: renesas: r8a779g0: FIX PWM suffixes", " - pinctrl: renesas: r8a779g0: Fix TCLK suffixes", " - pinctrl: renesas: r8a779g0: Fix TPU suffixes", " - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP", " - fs/proc/task_mmu.c: add_to_pagemap: remove useless parameter addr", " - fs/proc/task_mmu: don't indicate PM_MMAP_EXCLUSIVE without PM_PRESENT", " - fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped", " THPs", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - fs/ntfs3: Fix the format of the \"nocase\" mount option", " - fs/ntfs3: Missed error return", " - fs/ntfs3: Keep runs for $MFT::$ATTR_DATA and $MFT::$ATTR_BITMAP", " - powerpc/8xx: fix size given to set_huge_pte_at()", " - s390/dasd: fix error checks in dasd_copy_pair_store()", " - sbitmap: use READ_ONCE to access map->word", " - sbitmap: fix io hung due to race on sbitmap_word::cleared", " - LoongArch: Check TIF_LOAD_WATCH to enable user space watchpoint", " - landlock: Don't lose track of restrictions on cred_transfer", " - hugetlb: force allocating surplus hugepages on mempolicy allowed nodes", " - mm/hugetlb: fix possible recursive locking detected warning", " - mm/mglru: fix div-by-zero in vmpressure_calc_level()", " - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer", " - mm/mglru: fix overshooting shrinker memory", " - x86/efistub: Avoid returning EFI_SUCCESS on error", " - x86/efistub: Revert to heap allocated boot_params for PE entrypoint", " - exfat: fix potential deadlock on __exfat_get_dentry_set", " - dt-bindings: thermal: correct thermal zone node name limit", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - btrfs: fix extent map use-after-free when adding pages to compressed bio", " - kernel: rerun task_work while freezing in get_signal()", " - ipv4: fix source address selection with route leak", " - ipv6: take care of scope when choosing the src addr", " - NFSD: Support write delegations in LAYOUTGET", " - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE", " tasks", " - fuse: verify {g,u}id mount options correctly", " - ata: libata-scsi: Fix offsets for the fixed format sense data", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - ata: libata-scsi: Do not overwrite valid sense data when CK_COND=1", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - ext2: Verify bitmap and itable block numbers before using them", " - io_uring/io-wq: limit retrying worker initialisation", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - scsi: qla2xxx: Fix optrom version displayed in FDMI", " - drm/amd/display: Check for NULL pointer", " - apparmor: use kvfree_sensitive to free data->data", " - cifs: fix potential null pointer use in destroy_workqueue in init_cifs error", " path", " - cifs: fix reconnect with SMB1 UNIX Extensions", " - cifs: mount with \"unix\" mount option for SMB1 incorrectly handled", " - task_work: s/task_work_cancel()/task_work_cancel_func()/", " - task_work: Introduce task_work_cancel() again", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - io_uring: tighten task exit cancellations", " - trace/pid_list: Change gfp flags in pid_list_fill_irq()", " - selftests/landlock: Add cred_transfer test", " - wifi: mwifiex: Fix interface type change", " - wifi: rtw88: usb: Fix disconnection after beacon loss", " - drivers: soc: xilinx: check return status of get_api_version()", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - leds: mt6360: Fix memory leak in mt6360_init_isnk_properties()", " - media: imx-pxp: Fix ERR_PTR dereference in pxp_probe()", " - jbd2: make jbd2_journal_get_max_txn_bufs() internal", " - jbd2: precompute number of transaction descriptor blocks", " - jbd2: avoid infinite transaction commit loop", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()", " - KVM: nVMX: Request immediate exit iff pending nested event needs injection", " - ALSA: ump: Don't update FB name for static blocks", " - ALSA: ump: Force 1 Group for MIDI1 FBs", " - ALSA: usb-audio: Fix microphone sound on HD webcam.", " - ALSA: usb-audio: Move HD Webcam quirk to the right place", " - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - parisc: Fix warning at drivers/pci/msi/msi.h:121", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - PCI: dw-rockchip: Fix initial PERST# GPIO value", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - PCI: loongson: Enable MSI in LS7A Root Complex", " - binder: fix hang of unregistered readers", " - hostfs: fix dev_t handling", " - efi/libstub: Zero initialize heap allocated struct screen_info", " - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value", " - f2fs: fix to force buffered IO on inline_data inode", " - f2fs: fix to don't dirty inode for readonly filesystem", " - f2fs: fix return value of f2fs_convert_inline_inode()", " - f2fs: use meta inode for GC of atomic file", " - f2fs: use meta inode for GC of COW file", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - block: fix deadlock between sd_remove & sd_release", " - mm: fix old/young bit handling in the faulting path", " - decompress_bunzip2: fix rare decompression failure", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - ASoC: SOF: ipc4-topology: Preserve the DMA Link ID for ChainDMA on unprepare", " - ASoC: amd: yc: Support mic on Lenovo Thinkpad E16 Gen 2", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - gve: Fix an edge case for TSO skb validity check", " - ice: Add a per-VF limit on number of FDIR filters", " - devres: Fix devm_krealloc() wasting memory", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - irqdomain: Fixed unbalanced fwnode get and put", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - mm/numa_balancing: teach mpol_to_str about the balancing mode", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: lpfc: Allow DEVICE_RECOVERY mode after RSCN receipt if in PRLI_ISSUE", " state", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Unable to act on RSCN for port online", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Use QP lock to search for bsg", " - scsi: qla2xxx: Reduce fabric scan duplicate code", " - scsi: qla2xxx: Fix flash read failure", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf: Fix event leak upon exit", " - perf: Fix event leak upon exec and file release", " - perf stat: Fix the hard-coded metrics calculation on the hybrid", " - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR", " - perf/x86/intel/ds: Fix non 0 retire latency on Raptorlake", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8", " - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell", " - drm/udl: Remove DRM_CONNECTOR_POLL_HPD", " - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume", " - drm/amdgpu: reset vm state machine after gpu reset(vram lost)", " - drm/amd/amdgpu: Fix uninitialized variable warnings", " - drm/i915/dp: Reset intel_dp->link_trained before retraining the link", " - drm/i915/dp: Don't switch the LTTPR mode on an active link", " - rtc: isl1208: Fix return value of nvmem callbacks", " - rtc: abx80x: Fix return value of nvmem callback on read", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - dm-verity: fix dm_is_verity_target() when dm-verity is builtin", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - remoteproc: stm32_rproc: Fix mailbox interrupts queuing", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init", " - MIPS: dts: loongson: Add ISA node", " - MIPS: ip30: ip30-console: Add missing include", " - MIPS: dts: loongson: Fix GMAC phy node", " - MIPS: Loongson64: env: Hook up Loongsson-2K", " - MIPS: Loongson64: Remove memory node for builtin-dtb", " - MIPS: Loongson64: reset: Prioritise firmware service", " - MIPS: Loongson64: Test register availability before use", " - drm/etnaviv: don't block scheduler when GPU is still active", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - lib/build_OID_registry: don't mention the full path of the script in output", " - video: logo: Drop full path of the input filename in generated file", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - minmax: scsi: fix mis-use of 'clamp()' in sr.c", " - mm/mglru: fix ineffective protection calculation", " - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal", " - f2fs: fix to truncate preallocated blocks in f2fs_file_open()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels", " - phy: cadence-torrent: Check return value on register read", " - phy: zynqmp: Enable reference clock correctly", " - um: time-travel: fix time-travel-start option", " - um: time-travel: fix signal blocking race/hang", " - f2fs: fix start segno of large section", " - watchdog: rzg2l_wdt: Use pm_runtime_resume_and_get()", " - watchdog: rzg2l_wdt: Check return status of pm_runtime_put()", " - f2fs: fix to update user block counts in block_operations()", " - kbuild: avoid build error when single DTB is turned into composite DTB", " - selftests/bpf: fexit_sleep: Fix stack allocation for arm64", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash", " - dma: fix call order in dmam_free_coherent", " - bpf, events: Use prog to emit ksymbol event for main program", " - tools/resolve_btfids: Fix comparison of distinct pointer types warning in", " resolve_btfids", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - ice: Fix recipe read procedure", " - netfilter: nft_set_pipapo_avx2: disable softinterrupts", " - net: stmmac: Correct byte order of perfect_match", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - apparmor: Fix null pointer deref when receiving skb during sock creation", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - lirc: rc_dev_get_from_fd(): fix file leak", " - auxdisplay: ht16k33: Drop reference after LED registration", " - ASoC: SOF: imx8m: Fix DSP control regmap retrieval", " - spi: microchip-core: fix the issues in the isr", " - spi: microchip-core: defer asserting chip select until just before write to", " TX FIFO", " - spi: microchip-core: only disable SPI controller when register value change", " requires it", " - spi: microchip-core: fix init function not setting the master and motorola", " modes", " - spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer", " - nvme-pci: Fix the instructions for disabling power management", " - ASoC: sof: amd: fix for firmware reload failure in Vangogh platform", " - spi: spidev: add correct compatible for Rohm BH2228FV", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - ASoC: TAS2781: Fix tasdev_load_calibrated_data()", " - ceph: fix incorrect kmalloc size of pagevec mempool", " - s390/pci: Refactor arch_setup_msi_irqs()", " - s390/pci: Allow allocation of more than 1 MSI interrupt", " - s390/cpum_cf: Fix endless loop in CF_DIAG event stop", " - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en", " - io_uring: fix io_match_task must_hold", " - nvme-pci: add missing condition check for existence of mapped data", " - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT", " - md/raid0: don't free conf on raid0_run failure", " - md/raid1: don't free conf on raid0_run failure", " - io_uring: Fix probe of disabled operations", " - cgroup/cpuset: Optimize isolated partition only generate_sched_domains()", " calls", " - cgroup/cpuset: Fix remote root partition creation problem", " - x86/syscall: Mark exit[_group] syscall handlers __noreturn", " - perf: arm_pmuv3: Avoid assigning fixed cycle counter with threshold", " - md/raid5: recheck if reshape has finished with device_lock held", " - hwmon: (ltc2991) re-order conditions to fix off by one bug", " - arm64: smp: Fix missing IPI statistics", " - arm64: dts: qcom: sc7280: Remove CTS/RTS configuration", " - ARM: dts: qcom: msm8226-microsoft-common: Enable smbb explicitly", " - OPP: Fix missing cleanup on error in _opp_attach_genpd()", " - arm64: dts: qcom: sc8280xp-*: Remove thermal zone polling delays", " - arm64: dts: ti: k3-am62-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62a-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62p-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62a7: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62p5: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62p5-sk: Fix pinmux for McASP1 TX", " - arm64: dts: qcom: sc7180-trogdor: Disable pwmleds node where unused", " - arm64: dts: mediatek: mt8192: Fix GPU thermal zone name for SVS", " - arm64: dts: mediatek: mt8183-pico6: Fix wake-on-X event node names", " - arm64: dts: renesas: r9a08g045: Add missing hypervisor virtual timer IRQ", " - cpufreq/amd-pstate-ut: Convert nominal_freq to khz during comparisons", " - wifi: mac80211: cancel multi-link reconf work on disconnect", " - wifi: ath11k: refactor setting country code logic", " - wifi: ath11k: restore country code during resume", " - net: ethernet: cortina: Restore TSO support", " - tcp: fix races in tcp_abort()", " - hns3: avoid linking objects into multiple modules", " - sched/core: Move preempt_model_*() helpers from sched.h to preempt.h", " - sched/core: Drop spinlocks on contention iff kernel is preemptible", " - net: dsa: ksz_common: Allow only up to two HSR HW offloaded ports for", " KSZ9477", " - libbpf: Skip base btf sanity checks", " - wifi: mac80211: add ieee80211_tdls_sta_link_id()", " - wifi: iwlwifi: fix iwl_mvm_get_valid_rx_ant()", " - wifi: ath12k: advertise driver capabilities for MBSSID and EMA", " - riscv, bpf: Fix out-of-bounds issue when preparing trampoline image", " - perf/x86/amd/uncore: Avoid PMU registration if counters are unavailable", " - perf/x86/amd/uncore: Fix DF and UMC domain identification", " - NFSD: Fix nfsdcld warning", " - net: page_pool: fix warning code", " - bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG", " - Bluetooth: hci_event: Set QoS encryption from BIGInfo report", " - Bluetooth: hci_core, hci_sync: cleanup struct discovery_state", " - Bluetooth: Fix usage of __hci_cmd_sync_status", " - tcp: Don't access uninit tcp_rsk(req)->ao_keyid in", " tcp_create_openreq_child().", " - drm/panel: ilitek-ili9882t: If prepare fails, disable GPIO before regulators", " - drm/panel: ilitek-ili9882t: Check for errors on the NOP in prepare()", " - drm/amd/display: Move 'struct scaler_data' off stack", " - media: i2c: hi846: Fix V4L2_SUBDEV_FORMAT_TRY get_selection()", " - drm/msm/dpu: fix encoder irq wait skip", " - drm/msm/dpu: drop duplicate drm formats from wb2_formats arrays", " - drm/msm/dp: fix runtime_pm handling in dp_wait_hpd_asserted", " - perf maps: Switch from rbtree to lazily sorted array for addresses", " - perf maps: Fix use after free in __maps__fixup_overlap_and_insert", " - drm/bridge: samsung-dsim: Set P divider based on min/max of fin pll", " - drm/i915/psr: Print Panel Replay status instead of frame lock status", " - drm/mediatek: Set DRM mode configs accordingly", " - drm/msm/dsi: set video mode widebus enable bit when widebus is enabled", " - tools/perf: Fix the string match for \"/tmp/perf-$PID.map\" files in dso__load", " - drm/amd/display: Add null check before access structs", " - nfs: pass explicit offset/count to trace events", " - PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in", " pci_epf_test_core_init()", " - PCI: tegra194: Set EP alignment restriction for inbound ATU", " - riscv: smp: fail booting up smp if inconsistent vlen is detected", " - clk: meson: s4: fix fixed_pll_dco clock", " - clk: meson: s4: fix pwm_j_div parent clock", " - usb: typec-mux: ptn36502: unregister typec switch on probe error and remove", " - mtd: spi-nor: winbond: fix w25q128 regression", " - iommufd/selftest: Fix dirty bitmap tests with u8 bitmaps", " - iommufd/selftest: Fix iommufd_test_dirty() to handle ", "date": "Tue, 26 Nov 2024 13:53:36 +0100" } ], "notes": "linux-image-6.8.0-51-generic version '6.8.0-51.52.1' (source package linux-riscv version '6.8.0-51.52.1') was added. linux-image-6.8.0-51-generic version '6.8.0-51.52.1' has the same source package name, linux-riscv, as removed package linux-headers-6.8.0-49-generic. As such we can use the source package version of the removed package, '6.8.0-49.49.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-6.8.0-51-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-49.49.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-51.52.1", "version": "6.8.0-51.52.1" }, "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-49967", "url": "https://ubuntu.com/security/CVE-2024-49967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: no need to continue when the number of entries is 1", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" }, { "cve": "CVE-2024-46823", "url": "https://ubuntu.com/security/CVE-2024-46823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the 'overflow_allocation_test' function scope. However, it is being used as a driver name when calling 'kunit_driver_create' from 'kunit_device_register'. It produces the kernel panic with KASAN enabled. Since this variable is used in one place only, remove it and pass the device name into kunit_device_register directly as an ascii string.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46834", "url": "https://ubuntu.com/security/CVE-2024-46834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 (\"bnxt: fix crashes when reducing ring count with active RSS contexts\") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46751", "url": "https://ubuntu.com/security/CVE-2024-46751", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46753", "url": "https://ubuntu.com/security/CVE-2024-46753", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46841", "url": "https://ubuntu.com/security/CVE-2024-46841", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46754", "url": "https://ubuntu.com/security/CVE-2024-46754", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a (\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46824", "url": "https://ubuntu.com/security/CVE-2024-46824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls with something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9 Hardware name: linux,dummy-virt (DT) pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c) pc : 0x0 lr : iommufd_hwpt_invalidate+0xa4/0x204 sp : ffff800080f3bcc0 x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0 x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000 x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002 x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80 Call trace: 0x0 iommufd_fops_ioctl+0x154/0x274 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xb4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 All existing drivers implement this op for nesting, this is mostly a bisection aid.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46842", "url": "https://ubuntu.com/security/CVE-2024-46842", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46766", "url": "https://ubuntu.com/security/CVE-2024-46766", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: move netif_queue_set_napi to rtnl-protected sections Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnl_lock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point. Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked. Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below. [ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] [ +0.000002] dump_stack_lvl+0x60/0x80 [ +0.000007] print_report+0xce/0x630 [ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000007] ? __virt_addr_valid+0x1c9/0x2c0 [ +0.000005] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000003] kasan_report+0xe9/0x120 [ +0.000004] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000004] netif_queue_set_napi+0x1c2/0x1e0 [ +0.000005] ice_vsi_close+0x161/0x670 [ice] [ +0.000114] ice_dis_vsi+0x22f/0x270 [ice] [ +0.000095] ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] ice_prepare_for_reset+0x299/0x750 [ice] [ +0.000087] pci_dev_save_and_disable+0x82/0xd0 [ +0.000006] pci_reset_function+0x12d/0x230 [ +0.000004] reset_store+0xa0/0x100 [ +0.000006] ? __pfx_reset_store+0x10/0x10 [ +0.000002] ? __pfx_mutex_lock+0x10/0x10 [ +0.000004] ? __check_object_size+0x4c1/0x640 [ +0.000007] kernfs_fop_write_iter+0x30b/0x4a0 [ +0.000006] vfs_write+0x5d6/0xdf0 [ +0.000005] ? fd_install+0x180/0x350 [ +0.000005] ? __pfx_vfs_write+0x10/0xA10 [ +0.000004] ? do_fcntl+0x52c/0xcd0 [ +0.000004] ? kasan_save_track+0x13/0x60 [ +0.000003] ? kasan_save_free_info+0x37/0x60 [ +0.000006] ksys_write+0xfa/0x1d0 [ +0.000003] ? __pfx_ksys_write+0x10/0x10 [ +0.000002] ? __x64_sys_fcntl+0x121/0x180 [ +0.000004] ? _raw_spin_lock+0x87/0xe0 [ +0.000005] do_syscall_64+0x80/0x170 [ +0.000007] ? _raw_spin_lock+0x87/0xe0 [ +0.000004] ? __pfx__raw_spin_lock+0x10/0x10 [ +0.000003] ? file_close_fd_locked+0x167/0x230 [ +0.000005] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000005] ? do_syscall_64+0x8c/0x170 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filp_close+0x19/0x30 [ +0.000004] ? do_dup2+0x25a/0x4c0 [ +0.000004] ? __x64_sys_dup2+0x6e/0x2e0 [ +0.000002] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? __count_memcg_events+0x113/0x380 [ +0.000005] ? handle_mm_fault+0x136/0x820 [ +0.000005] ? do_user_addr_fault+0x444/0xa80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000002] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46772", "url": "https://ubuntu.com/security/CVE-2024-46772", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46774", "url": "https://ubuntu.com/security/CVE-2024-46774", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46775", "url": "https://ubuntu.com/security/CVE-2024-46775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46778", "url": "https://ubuntu.com/security/CVE-2024-46778", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46779", "url": "https://ubuntu.com/security/CVE-2024-46779", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46792", "url": "https://ubuntu.com/security/CVE-2024-46792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46793", "url": "https://ubuntu.com/security/CVE-2024-46793", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy Component via COMP_DUMMY()\") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the \"dummy\" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 (\"ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards\") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46735", "url": "https://ubuntu.com/security/CVE-2024-46735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46737", "url": "https://ubuntu.com/security/CVE-2024-46737", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46822", "url": "https://ubuntu.com/security/CVE-2024-46822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46713", "url": "https://ubuntu.com/security/CVE-2024-46713", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.", "cve_priority": "medium", "cve_public_date": "2024-09-13 15:15:00 UTC" }, { "cve": "CVE-2024-46739", "url": "https://ubuntu.com/security/CVE-2024-46739", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46740", "url": "https://ubuntu.com/security/CVE-2024-46740", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46741", "url": "https://ubuntu.com/security/CVE-2024-46741", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47663", "url": "https://ubuntu.com/security/CVE-2024-47663", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46832", "url": "https://ubuntu.com/security/CVE-2024-46832", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU. We also skipped saving IRQ number to struct clock_event_device *cd as it's never used by clockevent core, as per comments it's only meant for \"non CPU local devices\".", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47668", "url": "https://ubuntu.com/security/CVE-2024-47668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46744", "url": "https://ubuntu.com/security/CVE-2024-46744", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a \"KMSAN: uninit-value in pick_link\" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46745", "url": "https://ubuntu.com/security/CVE-2024-46745", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46746", "url": "https://ubuntu.com/security/CVE-2024-46746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47664", "url": "https://ubuntu.com/security/CVE-2024-47664", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-47665", "url": "https://ubuntu.com/security/CVE-2024-47665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Definitely condition dma_get_cache_alignment * defined value > 256 during driver initialization is not reason to BUG_ON(). Turn that to graceful error out with -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46749", "url": "https://ubuntu.com/security/CVE-2024-46749", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46750", "url": "https://ubuntu.com/security/CVE-2024-46750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the \"bus\" and \"cxl_bus\" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46752", "url": "https://ubuntu.com/security/CVE-2024-46752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory).", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46840", "url": "https://ubuntu.com/security/CVE-2024-46840", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46755", "url": "https://ubuntu.com/security/CVE-2024-46755", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid=\"somessid\" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk=\"12345678\" } When waiting for the AP to be established, interrupting wpa_supplicant with and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47666", "url": "https://ubuntu.com/security/CVE-2024-47666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46843", "url": "https://ubuntu.com/security/CVE-2024-46843", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause a kernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before adding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host has been defered after MCQ configuration introduced by commit 0cab4023ec7b (\"scsi: ufs: core: Defer adding host to SCSI if MCQ is supported\"). To guarantee that SCSI host is removed only if it has been added, set the scsi_host_added flag to true after adding a SCSI host and check whether it is set or not before removing it.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46760", "url": "https://ubuntu.com/security/CVE-2024-46760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46761", "url": "https://ubuntu.com/security/CVE-2024-46761", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46844", "url": "https://ubuntu.com/security/CVE-2024-46844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46762", "url": "https://ubuntu.com/security/CVE-2024-46762", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. Use SRCU locking to prevent the same, as is done for the KVM implementation for irqfds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46763", "url": "https://ubuntu.com/security/CVE-2024-46763", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46765", "url": "https://ubuntu.com/security/CVE-2024-46765", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46767", "url": "https://ubuntu.com/security/CVE-2024-46767", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46768", "url": "https://ubuntu.com/security/CVE-2024-46768", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can be NULL. Check for such a situation and ignore the event in such a case.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46770", "url": "https://ubuntu.com/security/CVE-2024-46770", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: \t# echo 1 > /sys/class/net//device/reset when reset is in progress try to get coalesce settings using ethtool: \t# ethtool -c BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46771", "url": "https://ubuntu.com/security/CVE-2024-46771", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46773", "url": "https://ubuntu.com/security/CVE-2024-46773", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47667", "url": "https://ubuntu.com/security/CVE-2024-47667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 (SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an inbound PCIe TLP spans more than two internal AXI 128-byte bursts, the bus may corrupt the packet payload and the corrupt data may cause associated applications or the processor to hang. The workaround for Errata #i2037 is to limit the maximum read request size and maximum payload size to 128 bytes. Add workaround for Errata #i2037 here. The errata and workaround is applicable only to AM65x SR 1.0 and later versions of the silicon will have this fixed. [1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46835", "url": "https://ubuntu.com/security/CVE-2024-46835", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46776", "url": "https://ubuntu.com/security/CVE-2024-46776", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46836", "url": "https://ubuntu.com/security/CVE-2024-46836", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46777", "url": "https://ubuntu.com/security/CVE-2024-46777", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46825", "url": "https://ubuntu.com/security/CVE-2024-46825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is normally called with input from the firmware, so it should use IWL_FW_CHECK() instead of WARN_ON().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46827", "url": "https://ubuntu.com/security/CVE-2024-46827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. This issue arises when EHT-PHY capabilities shows support for a bandwidth and MCS-NSS set for that particular bandwidth is filled by zeros and due to this, driver obtains peer_nss as 0 and sending this value to firmware causes crash. Address this issue by implementing a validation step for the peer_nss value before passing it to the firmware. If the value is greater than zero, proceed with forwarding it to the firmware. However, if the value is invalid, reject the association request to prevent potential firmware crashes. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47669", "url": "https://ubuntu.com/security/CVE-2024-47669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 (\"nilfs2: separate wait function from nilfs_segctor_write\") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the \"sc_dirty_files\" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46780", "url": "https://ubuntu.com/security/CVE-2024-46780", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore \"nilfs->ns_sem\". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46781", "url": "https://ubuntu.com/security/CVE-2024-46781", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46828", "url": "https://ubuntu.com/security/CVE-2024-46828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46782", "url": "https://ubuntu.com/security/CVE-2024-46782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46783", "url": "https://ubuntu.com/security/CVE-2024-46783", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46784", "url": "https://ubuntu.com/security/CVE-2024-46784", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46785", "url": "https://ubuntu.com/security/CVE-2024-46785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo \"p:kp submit_bio\" > /sys/kernel/debug/tracing/kprobe_events echo \"\" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46786", "url": "https://ubuntu.com/security/CVE-2024-46786", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46787", "url": "https://ubuntu.com/security/CVE-2024-46787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ pmdp_get_lockless() [reads none pmd] __pte_alloc [no-op] BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow pte_offset_map[_lock]() to fail\"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no \"struct page\" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding \"struct page\" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46838", "url": "https://ubuntu.com/security/CVE-2024-46838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in file mappings without holding the mmap lock, these BUG_ON()s are wrong - get rid of them. We could also remove the preceding \"if (unlikely(...))\" block, but then we could reach pte_offset_map_lock() with transhuge pages not just for file mappings but also for anonymous mappings - which would probably be fine but I think is not necessarily expected.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46845", "url": "https://ubuntu.com/security/CVE-2024-46845", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46788", "url": "https://ubuntu.com/security/CVE-2024-46788", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it \"exit\" before it actually exits. Since kthread ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46846", "url": "https://ubuntu.com/security/CVE-2024-46846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 (\"spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops\") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46847", "url": "https://ubuntu.com/security/CVE-2024-46847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 (\"mm: fix incorrect vbq reference in purge_fragmented_block\") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46791", "url": "https://ubuntu.com/security/CVE-2024-46791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46829", "url": "https://ubuntu.com/security/CVE-2024-46829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the good case it returns with the lock held and in the deadlock case it emits a warning and goes into an endless scheduling loop with the lock held, which triggers the 'scheduling in atomic' warning. Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning and dropping into the schedule for ever loop. [ tglx: Moved unlock before the WARN(), removed the pointless comment, \tmassaged changelog, added Fixes tag ]", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46848", "url": "https://ubuntu.com/security/CVE-2024-46848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46794", "url": "https://ubuntu.com/security/CVE-2024-46794", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46795", "url": "https://ubuntu.com/security/CVE-2024-46795", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46797", "url": "https://ubuntu.com/security/CVE-2024-46797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the \"next\" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's \"next\" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \\ --maximize --oomable --verify --syslog \\ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ? | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ? | Interrupt | (happens before \"nodes[0].lock = B\") | | | ? | spin_lock_irqsave(A) | | | ? | id = qnodesp->count++ | nodes[1].lock = A | | | ? | Tail of MCS queue | | spin_lock_irqsave(A) ? | Head of MCS queue ? | CPU0 is previous tail ? | Spin indefinitely ? (until \"nodes[1].next != NULL\") prev = get_tail_qnode(A, CPU0) | ? prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46830", "url": "https://ubuntu.com/security/CVE-2024-46830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory. Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS. ============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted ----------------------------- include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm] stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? kvm_vcpu_ioctl+0x7d/0x970 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? lock_acquire+0xba/0x2d0 ? find_held_lock+0x2b/0x80 ? do_user_addr_fault+0x40c/0x6f0 ? lock_release+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539 ", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46798", "url": "https://ubuntu.com/security/CVE-2024-46798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46831", "url": "https://ubuntu.com/security/CVE-2024-46831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46747", "url": "https://ubuntu.com/security/CVE-2024-46747", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46725", "url": "https://ubuntu.com/security/CVE-2024-46725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46724", "url": "https://ubuntu.com/security/CVE-2024-46724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46723", "url": "https://ubuntu.com/security/CVE-2024-46723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46743", "url": "https://ubuntu.com/security/CVE-2024-46743", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg=\"func of_irq_parse_* +p\"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46757", "url": "https://ubuntu.com/security/CVE-2024-46757", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775-core) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46759", "url": "https://ubuntu.com/security/CVE-2024-46759", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46758", "url": "https://ubuntu.com/security/CVE-2024-46758", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm95234) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46756", "url": "https://ubuntu.com/security/CVE-2024-46756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46738", "url": "https://ubuntu.com/security/CVE-2024-46738", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove().", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46722", "url": "https://ubuntu.com/security/CVE-2024-46722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-42284", "url": "https://ubuntu.com/security/CVE-2024-42284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44987", "url": "https://ubuntu.com/security/CVE-2024-44987", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" }, { "cve": "CVE-2024-42301", "url": "https://ubuntu.com/security/CVE-2024-42301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44998", "url": "https://ubuntu.com/security/CVE-2024-44998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference \"skb\" after calling vcc->push() because the skb is released.", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2090364, 2090369, 1786013, 2087886, 2086298, 2085849, 1786013, 2086301, 1786013, 2086138, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2084513, 2084941, 2083022, 2078038, 2084526, 2084834, 2081079, 2084225, 2081786, 2084225, 2084005, 2082423, 2084005, 2064176, 2081863, 2081785, 2083182, 2083701, 2077861, 2083794, 2083656, 2083488, 2083022, 2083488, 2077287, 2083488, 2083196, 2083196 ], "changes": [ { "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-49967", "url": "https://ubuntu.com/security/CVE-2024-49967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: no need to continue when the number of entries is 1", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" } ], "log": [ "", " * noble/linux-riscv: 6.8.0-51.52.1 -proposed tracker (LP: #2090364)", "", " [ Ubuntu: 6.8.0-51.52 ]", "", " * noble/linux: 6.8.0-51.52 -proposed tracker (LP: #2090369)", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] update variants", " * MGLRU: kswapd uses 100% CPU when MGLRU is enabled and under memory pressure", " (LP: #2087886)", " - mm/mglru: only clear kswapd_failures if reclaimable", " * CVE-2024-50264", " - vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans", " * CVE-2024-53057", " - net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", " * CVE-2024-49967", " - ext4: no need to continue when the number of entries is 1", "" ], "package": "linux-riscv", "version": "6.8.0-51.52.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2090364, 2090369, 1786013, 2087886 ], "author": "Emil Renner Berthing ", "date": "Mon, 09 Dec 2024 16:25:59 +0100" }, { "cves": [ { "cve": "CVE-2024-46823", "url": "https://ubuntu.com/security/CVE-2024-46823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the 'overflow_allocation_test' function scope. However, it is being used as a driver name when calling 'kunit_driver_create' from 'kunit_device_register'. It produces the kernel panic with KASAN enabled. Since this variable is used in one place only, remove it and pass the device name into kunit_device_register directly as an ascii string.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46834", "url": "https://ubuntu.com/security/CVE-2024-46834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 (\"bnxt: fix crashes when reducing ring count with active RSS contexts\") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46751", "url": "https://ubuntu.com/security/CVE-2024-46751", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46753", "url": "https://ubuntu.com/security/CVE-2024-46753", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46841", "url": "https://ubuntu.com/security/CVE-2024-46841", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46754", "url": "https://ubuntu.com/security/CVE-2024-46754", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a (\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46824", "url": "https://ubuntu.com/security/CVE-2024-46824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls with something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9 Hardware name: linux,dummy-virt (DT) pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c) pc : 0x0 lr : iommufd_hwpt_invalidate+0xa4/0x204 sp : ffff800080f3bcc0 x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0 x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000 x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002 x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80 Call trace: 0x0 iommufd_fops_ioctl+0x154/0x274 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xb4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 All existing drivers implement this op for nesting, this is mostly a bisection aid.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46842", "url": "https://ubuntu.com/security/CVE-2024-46842", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46766", "url": "https://ubuntu.com/security/CVE-2024-46766", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: move netif_queue_set_napi to rtnl-protected sections Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnl_lock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point. Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked. Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below. [ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] [ +0.000002] dump_stack_lvl+0x60/0x80 [ +0.000007] print_report+0xce/0x630 [ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000007] ? __virt_addr_valid+0x1c9/0x2c0 [ +0.000005] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000003] kasan_report+0xe9/0x120 [ +0.000004] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000004] netif_queue_set_napi+0x1c2/0x1e0 [ +0.000005] ice_vsi_close+0x161/0x670 [ice] [ +0.000114] ice_dis_vsi+0x22f/0x270 [ice] [ +0.000095] ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] ice_prepare_for_reset+0x299/0x750 [ice] [ +0.000087] pci_dev_save_and_disable+0x82/0xd0 [ +0.000006] pci_reset_function+0x12d/0x230 [ +0.000004] reset_store+0xa0/0x100 [ +0.000006] ? __pfx_reset_store+0x10/0x10 [ +0.000002] ? __pfx_mutex_lock+0x10/0x10 [ +0.000004] ? __check_object_size+0x4c1/0x640 [ +0.000007] kernfs_fop_write_iter+0x30b/0x4a0 [ +0.000006] vfs_write+0x5d6/0xdf0 [ +0.000005] ? fd_install+0x180/0x350 [ +0.000005] ? __pfx_vfs_write+0x10/0xA10 [ +0.000004] ? do_fcntl+0x52c/0xcd0 [ +0.000004] ? kasan_save_track+0x13/0x60 [ +0.000003] ? kasan_save_free_info+0x37/0x60 [ +0.000006] ksys_write+0xfa/0x1d0 [ +0.000003] ? __pfx_ksys_write+0x10/0x10 [ +0.000002] ? __x64_sys_fcntl+0x121/0x180 [ +0.000004] ? _raw_spin_lock+0x87/0xe0 [ +0.000005] do_syscall_64+0x80/0x170 [ +0.000007] ? _raw_spin_lock+0x87/0xe0 [ +0.000004] ? __pfx__raw_spin_lock+0x10/0x10 [ +0.000003] ? file_close_fd_locked+0x167/0x230 [ +0.000005] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000005] ? do_syscall_64+0x8c/0x170 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filp_close+0x19/0x30 [ +0.000004] ? do_dup2+0x25a/0x4c0 [ +0.000004] ? __x64_sys_dup2+0x6e/0x2e0 [ +0.000002] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? __count_memcg_events+0x113/0x380 [ +0.000005] ? handle_mm_fault+0x136/0x820 [ +0.000005] ? do_user_addr_fault+0x444/0xa80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000002] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46772", "url": "https://ubuntu.com/security/CVE-2024-46772", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46774", "url": "https://ubuntu.com/security/CVE-2024-46774", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46775", "url": "https://ubuntu.com/security/CVE-2024-46775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46778", "url": "https://ubuntu.com/security/CVE-2024-46778", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46779", "url": "https://ubuntu.com/security/CVE-2024-46779", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46792", "url": "https://ubuntu.com/security/CVE-2024-46792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46793", "url": "https://ubuntu.com/security/CVE-2024-46793", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy Component via COMP_DUMMY()\") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the \"dummy\" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 (\"ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards\") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46735", "url": "https://ubuntu.com/security/CVE-2024-46735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46737", "url": "https://ubuntu.com/security/CVE-2024-46737", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46822", "url": "https://ubuntu.com/security/CVE-2024-46822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46713", "url": "https://ubuntu.com/security/CVE-2024-46713", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.", "cve_priority": "medium", "cve_public_date": "2024-09-13 15:15:00 UTC" }, { "cve": "CVE-2024-46739", "url": "https://ubuntu.com/security/CVE-2024-46739", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46740", "url": "https://ubuntu.com/security/CVE-2024-46740", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46741", "url": "https://ubuntu.com/security/CVE-2024-46741", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47663", "url": "https://ubuntu.com/security/CVE-2024-47663", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46832", "url": "https://ubuntu.com/security/CVE-2024-46832", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU. We also skipped saving IRQ number to struct clock_event_device *cd as it's never used by clockevent core, as per comments it's only meant for \"non CPU local devices\".", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47668", "url": "https://ubuntu.com/security/CVE-2024-47668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46744", "url": "https://ubuntu.com/security/CVE-2024-46744", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a \"KMSAN: uninit-value in pick_link\" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46745", "url": "https://ubuntu.com/security/CVE-2024-46745", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46746", "url": "https://ubuntu.com/security/CVE-2024-46746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47664", "url": "https://ubuntu.com/security/CVE-2024-47664", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-47665", "url": "https://ubuntu.com/security/CVE-2024-47665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Definitely condition dma_get_cache_alignment * defined value > 256 during driver initialization is not reason to BUG_ON(). Turn that to graceful error out with -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46749", "url": "https://ubuntu.com/security/CVE-2024-46749", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46750", "url": "https://ubuntu.com/security/CVE-2024-46750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the \"bus\" and \"cxl_bus\" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46752", "url": "https://ubuntu.com/security/CVE-2024-46752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory).", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46840", "url": "https://ubuntu.com/security/CVE-2024-46840", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46755", "url": "https://ubuntu.com/security/CVE-2024-46755", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid=\"somessid\" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk=\"12345678\" } When waiting for the AP to be established, interrupting wpa_supplicant with and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47666", "url": "https://ubuntu.com/security/CVE-2024-47666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46843", "url": "https://ubuntu.com/security/CVE-2024-46843", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause a kernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before adding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host has been defered after MCQ configuration introduced by commit 0cab4023ec7b (\"scsi: ufs: core: Defer adding host to SCSI if MCQ is supported\"). To guarantee that SCSI host is removed only if it has been added, set the scsi_host_added flag to true after adding a SCSI host and check whether it is set or not before removing it.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46760", "url": "https://ubuntu.com/security/CVE-2024-46760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46761", "url": "https://ubuntu.com/security/CVE-2024-46761", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46844", "url": "https://ubuntu.com/security/CVE-2024-46844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46762", "url": "https://ubuntu.com/security/CVE-2024-46762", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. Use SRCU locking to prevent the same, as is done for the KVM implementation for irqfds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46763", "url": "https://ubuntu.com/security/CVE-2024-46763", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46765", "url": "https://ubuntu.com/security/CVE-2024-46765", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46767", "url": "https://ubuntu.com/security/CVE-2024-46767", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46768", "url": "https://ubuntu.com/security/CVE-2024-46768", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can be NULL. Check for such a situation and ignore the event in such a case.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46770", "url": "https://ubuntu.com/security/CVE-2024-46770", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: \t# echo 1 > /sys/class/net//device/reset when reset is in progress try to get coalesce settings using ethtool: \t# ethtool -c BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46771", "url": "https://ubuntu.com/security/CVE-2024-46771", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46773", "url": "https://ubuntu.com/security/CVE-2024-46773", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47667", "url": "https://ubuntu.com/security/CVE-2024-47667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 (SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an inbound PCIe TLP spans more than two internal AXI 128-byte bursts, the bus may corrupt the packet payload and the corrupt data may cause associated applications or the processor to hang. The workaround for Errata #i2037 is to limit the maximum read request size and maximum payload size to 128 bytes. Add workaround for Errata #i2037 here. The errata and workaround is applicable only to AM65x SR 1.0 and later versions of the silicon will have this fixed. [1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46835", "url": "https://ubuntu.com/security/CVE-2024-46835", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46776", "url": "https://ubuntu.com/security/CVE-2024-46776", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46836", "url": "https://ubuntu.com/security/CVE-2024-46836", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46777", "url": "https://ubuntu.com/security/CVE-2024-46777", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46825", "url": "https://ubuntu.com/security/CVE-2024-46825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is normally called with input from the firmware, so it should use IWL_FW_CHECK() instead of WARN_ON().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46827", "url": "https://ubuntu.com/security/CVE-2024-46827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. This issue arises when EHT-PHY capabilities shows support for a bandwidth and MCS-NSS set for that particular bandwidth is filled by zeros and due to this, driver obtains peer_nss as 0 and sending this value to firmware causes crash. Address this issue by implementing a validation step for the peer_nss value before passing it to the firmware. If the value is greater than zero, proceed with forwarding it to the firmware. However, if the value is invalid, reject the association request to prevent potential firmware crashes. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47669", "url": "https://ubuntu.com/security/CVE-2024-47669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 (\"nilfs2: separate wait function from nilfs_segctor_write\") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the \"sc_dirty_files\" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46780", "url": "https://ubuntu.com/security/CVE-2024-46780", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore \"nilfs->ns_sem\". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46781", "url": "https://ubuntu.com/security/CVE-2024-46781", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46828", "url": "https://ubuntu.com/security/CVE-2024-46828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46782", "url": "https://ubuntu.com/security/CVE-2024-46782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46783", "url": "https://ubuntu.com/security/CVE-2024-46783", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46784", "url": "https://ubuntu.com/security/CVE-2024-46784", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46785", "url": "https://ubuntu.com/security/CVE-2024-46785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo \"p:kp submit_bio\" > /sys/kernel/debug/tracing/kprobe_events echo \"\" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46786", "url": "https://ubuntu.com/security/CVE-2024-46786", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46787", "url": "https://ubuntu.com/security/CVE-2024-46787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ pmdp_get_lockless() [reads none pmd] __pte_alloc [no-op] BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow pte_offset_map[_lock]() to fail\"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no \"struct page\" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding \"struct page\" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46838", "url": "https://ubuntu.com/security/CVE-2024-46838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in file mappings without holding the mmap lock, these BUG_ON()s are wrong - get rid of them. We could also remove the preceding \"if (unlikely(...))\" block, but then we could reach pte_offset_map_lock() with transhuge pages not just for file mappings but also for anonymous mappings - which would probably be fine but I think is not necessarily expected.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46845", "url": "https://ubuntu.com/security/CVE-2024-46845", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46788", "url": "https://ubuntu.com/security/CVE-2024-46788", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it \"exit\" before it actually exits. Since kthread ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46846", "url": "https://ubuntu.com/security/CVE-2024-46846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 (\"spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops\") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46847", "url": "https://ubuntu.com/security/CVE-2024-46847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 (\"mm: fix incorrect vbq reference in purge_fragmented_block\") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46791", "url": "https://ubuntu.com/security/CVE-2024-46791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46829", "url": "https://ubuntu.com/security/CVE-2024-46829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the good case it returns with the lock held and in the deadlock case it emits a warning and goes into an endless scheduling loop with the lock held, which triggers the 'scheduling in atomic' warning. Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning and dropping into the schedule for ever loop. [ tglx: Moved unlock before the WARN(), removed the pointless comment, \tmassaged changelog, added Fixes tag ]", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46848", "url": "https://ubuntu.com/security/CVE-2024-46848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46794", "url": "https://ubuntu.com/security/CVE-2024-46794", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46795", "url": "https://ubuntu.com/security/CVE-2024-46795", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46797", "url": "https://ubuntu.com/security/CVE-2024-46797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the \"next\" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's \"next\" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \\ --maximize --oomable --verify --syslog \\ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ? | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ? | Interrupt | (happens before \"nodes[0].lock = B\") | | | ? | spin_lock_irqsave(A) | | | ? | id = qnodesp->count++ | nodes[1].lock = A | | | ? | Tail of MCS queue | | spin_lock_irqsave(A) ? | Head of MCS queue ? | CPU0 is previous tail ? | Spin indefinitely ? (until \"nodes[1].next != NULL\") prev = get_tail_qnode(A, CPU0) | ? prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46830", "url": "https://ubuntu.com/security/CVE-2024-46830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory. Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS. ============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted ----------------------------- include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm] stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? kvm_vcpu_ioctl+0x7d/0x970 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? lock_acquire+0xba/0x2d0 ? find_held_lock+0x2b/0x80 ? do_user_addr_fault+0x40c/0x6f0 ? lock_release+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539 ", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46798", "url": "https://ubuntu.com/security/CVE-2024-46798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46831", "url": "https://ubuntu.com/security/CVE-2024-46831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46747", "url": "https://ubuntu.com/security/CVE-2024-46747", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46725", "url": "https://ubuntu.com/security/CVE-2024-46725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46724", "url": "https://ubuntu.com/security/CVE-2024-46724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46723", "url": "https://ubuntu.com/security/CVE-2024-46723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46743", "url": "https://ubuntu.com/security/CVE-2024-46743", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg=\"func of_irq_parse_* +p\"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46757", "url": "https://ubuntu.com/security/CVE-2024-46757", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775-core) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46759", "url": "https://ubuntu.com/security/CVE-2024-46759", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46758", "url": "https://ubuntu.com/security/CVE-2024-46758", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm95234) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46756", "url": "https://ubuntu.com/security/CVE-2024-46756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46738", "url": "https://ubuntu.com/security/CVE-2024-46738", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove().", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46722", "url": "https://ubuntu.com/security/CVE-2024-46722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-42284", "url": "https://ubuntu.com/security/CVE-2024-42284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44987", "url": "https://ubuntu.com/security/CVE-2024-44987", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" }, { "cve": "CVE-2024-42301", "url": "https://ubuntu.com/security/CVE-2024-42301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44998", "url": "https://ubuntu.com/security/CVE-2024-44998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference \"skb\" after calling vcc->push() because the skb is released.", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" } ], "log": [ "", " * noble/linux-riscv: 6.8.0-50.51.1 -proposed tracker (LP: #2086298)", "", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849)", " - Revert \"mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K\"", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2024.10.28)", "", " [ Ubuntu: 6.8.0-50.51 ]", "", " * noble/linux: 6.8.0-50.51 -proposed tracker (LP: #2086301)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.10.28)", " * Noble update: upstream stable patchset 2024-10-31 (LP: #2086138)", " - device property: Add cleanup.h based fwnode_handle_put() scope based", " cleanup.", " - device property: Introduce device_for_each_child_node_scoped()", " - iio: adc: ad7124: Switch from of specific to fwnode based property handling", " - ksmbd: override fsids for share path check", " - ksmbd: override fsids for smb2_query_info()", " - usbnet: ipheth: remove extraneous rx URB length check", " - usbnet: ipheth: drop RX URBs with no payload", " - usbnet: ipheth: do not stop RX on failing RX callback", " - usbnet: ipheth: fix carrier detection in modes 1 and 4", " - net: ethernet: use ip_hdrlen() instead of bit shift", " - drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero", " - drm: panel-orientation-quirks: Add quirk for Ayn Loki Max", " - net: phy: vitesse: repair vsc73xx autonegotiation", " - powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL", " - wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change", " - net: hns3: use correct release function during uninitialization", " - btrfs: update target inode's ctime on unlink", " - Input: ads7846 - ratelimit the spi_sync error message", " - Input: synaptics - enable SMBus for HP Elitebook 840 G2", " - HID: multitouch: Add support for GT7868Q", " - scripts: kconfig: merge_config: config files: add a trailing newline", " - platform/surface: aggregator_registry: Add Support for Surface Pro 10", " - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3", " - drm/msm/adreno: Fix error return if missing firmware-name", " - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table", " - smb/server: fix return value of smb2_open()", " - NFSv4: Fix clearing of layout segments in layoutreturn", " - NFS: Avoid unnecessary rescanning of the per-server delegation list", " - platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses", " - platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array", " - mptcp: pm: Fix uaf in __timer_delete_sync", " - arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on", " RK3399 Puma", " - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399", " Puma", " - minmax: reduce min/max macro expansion in atomisp driver", " - net: tighten bad gso csum offset check in virtio_net_hdr", " - dm-integrity: fix a race condition when accessing recalc_sector", " - x86/hyperv: fix kexec crash due to VP assist page corruption", " - mm: avoid leaving partial pfn mappings around in error case", " - arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E", " - drm/amd/display: Disable error correction if it's not supported", " - drm/amd/display: Fix FEC_READY write on DP LT", " - eeprom: digsy_mtc: Fix 93xx46 driver probe failure", " - cxl/core: Fix incorrect vendor debug UUID define", " - selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected()", " - hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >=", " 1.2", " - ice: Fix lldp packets dropping after changing the number of channels", " - ice: fix accounting for filters shared by multiple VSIs", " - ice: fix VSI lists confusion when adding VLANs", " - igb: Always call igb_xdp_ring_update_tail() under Tx lock", " - net/mlx5: Update the list of the PCI supported devices", " - net/mlx5e: Add missing link modes to ptys2ethtool_map", " - net/mlx5e: Add missing link mode to ptys2ext_ethtool_map", " - net/mlx5: Explicitly set scheduling element and TSAR type", " - net/mlx5: Add missing masks and QoS bit masks for scheduling elements", " - net/mlx5: Correct TASR typo into TSAR", " - net/mlx5: Verify support for scheduling element and TSAR type", " - net/mlx5: Fix bridge mode operations when there are no VFs", " - fou: fix initialization of grc", " - octeontx2-af: Modify SMQ flush sequence to drop packets", " - net: ftgmac100: Enable TX interrupt to avoid TX timeout", " - selftests: net: csum: Fix checksums for packets with non-zero padding", " - netfilter: nft_socket: fix sk refcount leaks", " - net: dsa: felix: ignore pending status of TAS module when it's disabled", " - net: dpaa: Pad packets to ETH_ZLEN", " - tracing/osnoise: Fix build when timerlat is not enabled", " - spi: nxp-fspi: fix the KASAN report out-of-bounds bug", " - drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl", " - dma-buf: heaps: Fix off-by-one in CMA heap fault handler", " - drm/nouveau/fb: restore init() for ramgp102", " - drm/amdgpu/atomfirmware: Silence UBSAN warning", " - drm/amd/amdgpu: apply command submission parser for JPEG v1", " - spi: geni-qcom: Undo runtime PM changes at driver exit time", " - spi: geni-qcom: Fix incorrect free_irq() sequence", " - drm/i915/guc: prevent a possible int overflow in wq offsets", " - ASoC: codecs: avoid possible garbage value in peb2466_reg_read()", " - cifs: Fix signature miscalculation", " - pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID", " - ASoC: meson: axg-card: fix 'use-after-free'", " - drm/mediatek: Set sensible cursor width/height values to fix crash", " - Input: edt-ft5x06 - add support for FocalTech FT5452 and FT8719", " - Input: edt-ft5x06 - add support for FocalTech FT8201", " - cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug", " - spi: zynqmp-gqspi: Scale timeout by data size", " - drm/xe: use devm instead of drmm for managed bo", " - net: libwx: fix number of Rx and Tx descriptors", " - clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor", " - bcachefs: Fix bch2_extents_match() false positive", " - bcachefs: Don't delete open files in online fsck", " - firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire()", " - riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting", " PLL0 rate to 1.5GHz", " - cxl: Restore XOR'd position bits during address translation", " - netlink: specs: mptcp: fix port endianness", " - drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct()", " - drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct()", " - drm/amd/amdgpu: apply command submission parser for JPEG v2+", " - drm/xe/client: fix deadlock in show_meminfo()", " - drm/xe/client: remove bogus rcu list usage", " - drm/xe/client: add missing bo locking in show_meminfo()", " - tracing/kprobes: Fix build error when find_module() is not available", " - drm/xe/display: fix compat IS_DISPLAY_STEP() range end", " - Upstream stable to v6.6.52, v6.10.11", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849)", " - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE", " - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ALSA: hda/realtek: add patch for internal mic in Lenovo V145", " - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx", " - ksmbd: Unlock on in ksmbd_tcp_set_interfaces()", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - x86/kaslr: Expose and use the end of the physical memory address space", " - nvme-pci: Add sleep quirk for Samsung 990 Evo", " - rust: types: Make Opaque::get const", " - rust: macros: provide correct provenance when constructing THIS_MODULE", " - Revert \"Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE\"", " - Bluetooth: MGMT: Ignore keys being loaded with invalid type", " - mmc: core: apply SD quirks earlier during probe", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - mmc: cqhci: Fix checking of CQHCI_HALT state", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - fuse: fix memory leak in fuse_create_open", " - clk: starfive: jh7110-sys: Add notifier for PLL0 clock", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - tracing/timerlat: Add interface_lock around clearing of kthread in", " stop_kthread()", " - net: mctp-serial: Fix missing escapes on transmit", " - x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported", " - x86/apic: Make x2apic_disable() work correctly", " - drm/i915: Do not attempt to load the GSC multiple times", " - ALSA: control: Apply sanity check of input values for user elements", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - wifi: ath12k: fix uninitialize symbol error on ath12k_peer_assoc_h_he()", " - smack: unix sockets: fix accept()ed socket label", " - bpf, verifier: Correct tail_call_reachable for bpf prog", " - accel/habanalabs/gaudi2: unsecure edma max outstanding register", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - x86/kmsan: Fix hook for unaligned accesses", " - iommu: sun50i: clear bypass register", " - netfilter: nf_conncount: fix wrong variable type", " - fs/ntfs3: One more reason to mark inode bad", " - riscv: kprobes: Use patch_text_nosync() for insn slots", " - media: vivid: fix wrong sizeimage value for mplane", " - leds: spi-byte: Call of_node_put() on error path", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - drm/amd/display: Check HDCP returned status", " - drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts", " - media: vivid: don't set HDMI TX controls if there are no HDMI outputs", " - vfio/spapr: Always clear TCEs before unsetting the window", " - ice: Check all ice_vsi_rebuild() errors in function", " - Input: ili210x - use kvmalloc() to allocate buffer for firmware update", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6", " - can: m_can: Release irq on error in m_can_open", " - can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD", " mode", " - rust: kbuild: fix export of bss symbols", " - cifs: Fix FALLOC_FL_ZERO_RANGE to preflush buffered part of target region", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - regulator: core: Stub devm_regulator_bulk_get_const() if !CONFIG_REGULATOR", " - can: kvaser_pciefd: Skip redundant NULL pointer check in ISR", " - can: kvaser_pciefd: Remove unnecessary comment", " - can: kvaser_pciefd: Rename board_irq to pci_irq", " - can: kvaser_pciefd: Move reset of DMA RX buffers to the end of the ISR", " - can: kvaser_pciefd: Use a single write when releasing RX buffers", " - Bluetooth: qca: If memdump doesn't work, re-enable IBS", " - Bluetooth: hci_sync: Introduce hci_cmd_sync_run/hci_cmd_sync_run_once", " - Bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT", " - igc: Unlock on error in igc_io_resume()", " - ice: do not bring the VSI up, if it was down before the XDP setup", " - usbnet: modern method to get random MAC", " - bpf, net: Fix a potential race in do_sock_getsockopt()", " - bareudp: Fix device stats updates.", " - r8152: fix the firmware doesn't work", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - selftests: net: enable bind tests", " - firmware: cs_dsp: Don't allow writes to read-only controls", " - phy: zynqmp: Take the phy mutex in xlate", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - devres: Initialize an uninitialized struct member", " - virtio_ring: fix KMSAN error for premapped mode", " - crypto: qat - fix unintentional re-enabling of error interrupts", " - ASoc: TAS2781: replace beXX_to_cpup with get_unaligned_beXX for potentially", " broken alignment", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - drm/amdgpu: Set no_hw_access when VF request full GPU fails", " - ext4: fix possible tid_t sequence overflows", " - jbd2: avoid mount failed when commit block is partial submitted", " - dma-mapping: benchmark: Don't starve others when doing the test", " - drm/amdgpu: reject gang submit on reserved VMIDs", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - fs/ntfs3: Check more cases when directory is corrupted", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - cxl/region: Verify target positions using the ordered target list", " - riscv: set trap vector earlier", " - tcp: Don't drop SYN+ACK for simultaneous connect().", " - net: dpaa: avoid on-stack arrays of NR_CPUS elements", " - LoongArch: Use correct API to map cmdline in relocate_kernel()", " - regmap: maple: work around gcc-14.1 false-positive warning", " - vfs: Fix potential circular locking through setxattr() and removexattr()", " - i3c: master: svc: resend target address when get NACK", " - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section", " - usbnet: ipheth: race between ipheth_close and error handling", " - spi: spi-fsl-lpspi: limit PRESCALE bit in TCR register", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - ACPI: CPPC: Add helper to get the highest performance value", " - cpufreq: amd-pstate: Enable amd-pstate preferred core support", " - cpufreq: amd-pstate: fix the highest frequency issue which limits", " performance", " - tcp: process the 3rd ACK with sk_socket for TFO/MPTCP", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - iio: adc: ad7124: fix config comparison", " - iio: adc: ad7606: remove frstdata check for serial mode", " - iio: adc: ad7124: fix chip ID mismatch", " - usb: dwc3: core: update LC timer as per USB Spec V3.2", " - usb: cdns2: Fix controller reset issue", " - usb: dwc3: Avoid waking up gadget during startxfer", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - Revert \"mm: skip CMA pages when they are not available\"", " - workqueue: wq_watchdog_touch is always called with valid CPU", " - workqueue: Improve scalability of workqueue watchdog touch", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - can: mcp251xfd: mcp251xfd_handle_rxif_ring_uinc(): factor out in separate", " function", " - can: mcp251xfd: rx: prepare to workaround broken RX FIFO head index erratum", " - can: mcp251xfd: clarify the meaning of timestamp", " - can: mcp251xfd: rx: add workaround for erratum DS80000789E 6 of mcp2518fd", " - drm/amd: Add gfx12 swizzle mode defs", " - drm/amdgpu: handle gfx12 in amdgpu_display_verify_sizes", " - ata: libata-scsi: Remove redundant sense_buffer memsets", " - ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf", " - crypto: starfive - Align rsa input data to 32-bit", " - crypto: starfive - Fix nent assignment in rsa dec", " - clk: qcom: ipq9574: Update the alpha PLL type for GPLLs", " - powerpc/64e: remove unused IBM HTW code", " - powerpc/64e: split out nohash Book3E 64-bit code", " - powerpc/64e: Define mmu_pte_psize static", " - powerpc/vdso: Don't discard rela sections", " - ASoC: tegra: Fix CBB error during probe()", " - nvme-pci: allocate tagset on reset if necessary", " - ASoc: SOF: topology: Clear SOF link platform name upon unload", " - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode", " - clk: qcom: gcc-sm8550: Don't use parking clk_ops for QUPs", " - clk: qcom: gcc-sm8550: Don't park the USB RCG at registration time", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - gpio: rockchip: fix OF node leak in probe()", " - gpio: modepin: Enable module autoloading", " - riscv: Fix toolchain vector detection", " - riscv: Do not restrict memory size because of linear mapping on nommu", " - membarrier: riscv: Add full memory barrier in switch_mm()", " - [Config] updateconfigs for ARCH_HAS_MEMBARRIER_CALLBACKS", " - x86/mm: Fix PTI for i386 some more", " - btrfs: fix race between direct IO write and fsync when using same fd", " - spi: spi-fsl-lpspi: Fix off-by-one in prescale max", " - ALSA: hda/realtek: Enable Mute Led for HP Victus 15-fb1xxx", " - ALSA: hda/realtek - Fix inactive headset mic jack for ASUS Vivobook 15", " X1504VAP", " - fuse: clear PG_uptodate when using a stolen page", " - riscv: misaligned: remove CONFIG_RISCV_M_MODE specific code", " - parisc: Delay write-protection until mark_rodata_ro() call", " - pinctrl: qcom: x1e80100: Bypass PDC wakeup parent for now", " - maple_tree: remove rcu_read_lock() from mt_validate()", " - Revert \"wifi: ath11k: restore country code during resume\"", " - btrfs: qgroup: don't use extent changeset when not needed", " - btrfs: zoned: handle broken write pointer on zones", " - drm/xe/gsc: Do not attempt to load the GSC multiple times", " - drm/amdgpu: always allocate cleared VRAM for GEM allocations", " - drm/amd/display: Lock DC and exit IPS when changing backlight", " - ALSA: hda/realtek: extend quirks for Clevo V5[46]0", " - cgroup/cpuset: Delay setting of CS_CPU_EXCLUSIVE until valid partition", " - virt: sev-guest: Mark driver struct with __refdata to prevent section", " mismatch", " - media: b2c2: flexcop-usb: fix flexcop_usb_memory_req", " - gve: Add adminq mutex lock", " - wifi: rtw89: wow: prevent to send unexpected H2C during download Firmware", " - drm/amdgpu: add missing error handling in function", " amdgpu_gmc_flush_gpu_tlb_pasid", " - crypto: qat - initialize user_input.lock for rate_limiting", " - locking: Add rwsem_assert_held() and rwsem_assert_held_write()", " - fs: don't copy to userspace under namespace semaphore", " - fs: relax permissions for statmount()", " - seccomp: release task filters when the task exits", " - drm/amdgpu/display: handle gfx12 in amdgpu_dm_plane_format_mod_supported", " - can: m_can: Remove m_can_rx_peripheral indirection", " - can: m_can: Do not cancel timer from within timer", " - mm: Provide a means of invalidation without using launder_folio", " - cifs: Fix copy offload to flush destination region", " - hwmon: ltc2991: fix register bits defines", " - scripts: fix gfp-translate after ___GFP_*_BITS conversion to an enum", " - ptp: ocp: convert serial ports to array", " - ptp: ocp: adjust sysfs entries to expose tty information", " - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset", " - ice: remove ICE_CFG_BUSY locking from AF_XDP code", " - net: xilinx: axienet: Fix race in axienet_stop", " - iommu/vt-d: Remove control over Execute-Requested requests", " - block: don't call bio_uninit from bio_endio", " - tracing/kprobes: Add symbol counting check when module loads", " - perf/x86/intel: Hide Topdown metrics events if the feature is not enumerated", " - PCI: qcom: Override NO_SNOOP attribute for SA8775P RC", " - staging: vchiq_core: Bubble up wait_event_interruptible() return value", " - watchdog: imx7ulp_wdt: keep already running watchdog enabled", " - btrfs: slightly loosen the requirement for qgroup removal", " - drm/amdgpu: add PSP RAS address query command", " - drm/amdgpu: add mutex to protect ras shared memory", " - s390/boot: Do not assume the decompressor range is reserved", " - drm/amdgpu: Fix two reset triggered in a row", " - drm/amdgpu: Add reset_context flag for host FLR", " - drm/amdgpu: Fix amdgpu_device_reset_sriov retry logic", " - fs: only copy to userspace on success in listmount()", " - iio: adc: ad7124: fix DT configuration parsing", " - nvmem: u-boot-env: error if NVMEM device is too small", " - mm: zswap: rename is_zswap_enabled() to zswap_is_enabled()", " - mm/memcontrol: respect zswap.writeback setting from parent cg too", " - path: add cleanup helper", " - fs: simplify error handling", " - fs: relax permissions for listmount()", " - hid: bpf: add BPF_JIT dependency", " - net/mlx5e: SHAMPO, Use KSMs instead of KLMs", " - net/mlx5e: SHAMPO, Fix page leak", " - drm/xe/xe2: Add workaround 14021402888", " - drm/xe/xe2lpg: Extend workaround 14021402888", " - clk: qcom: gcc-x1e80100: Fix USB 0 and 1 PHY GDSC pwrsts flags", " - clk: qcom: gcc-x1e80100: Don't use parking clk_ops for QUPs", " - nouveau: fix the fwsec sb verification register.", " - riscv: Add tracepoints for SBI calls and returns", " - riscv: Improve sbi_ecall() code generation by reordering arguments", " - riscv: Fix RISCV_ALTERNATIVE_EARLY", " - cifs: Fix zero_point init on inode initialisation", " - nvme: rename nvme_sc_to_pr_err to nvme_status_to_pr_err", " - nvme: fix status magic numbers", " - nvme: rename CDR/MORE/DNR to NVME_STATUS_*", " - nvmet: Identify-Active Namespace ID List command should reject invalid nsid", " - drm/i915/display: Add mechanism to use sink model when applying quirk", " - drm/i915/display: Increase Fast Wake Sync length as a quirk", " - LoongArch: Use accessors to page table entries instead of direct dereference", " - Upstream stable to v6.6.51, v6.10.10", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46823", " - kunit/overflow: Fix UB in overflow_allocation_test", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46834", " - ethtool: fail closed if we can't get max channel used in indirection tables", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46751", " - btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46753", " - btrfs: handle errors from btrfs_dec_ref() properly", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46841", " - btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in", " walk_down_proc()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46754", " - bpf: Remove tst_run from lwt_seg6local_prog_ops.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46824", " - iommufd: Require drivers to supply the cache_invalidate_user ops", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46842", " - scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46766", " - ice: move netif_queue_set_napi to rtnl-protected sections", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46772", " - drm/amd/display: Check denominator crb_pipes before used", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46774", " - powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46775", " - drm/amd/display: Validate function returns", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46778", " - drm/amd/display: Check UnboundedRequestEnabled's value", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46779", " - drm/imagination: Free pvr_vm_gpuva after unlink", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46792", " - riscv: misaligned: Restrict user access to kernel memory", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46793", " - ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46735", " - ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46737", " - nvmet-tcp: fix kernel crash if commands allocation fails", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46822", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46713", " - perf/aux: Fix AUX buffer serialization", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46739", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46740", " - binder: fix UAF caused by offsets overwrite", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46741", " - misc: fastrpc: Fix double free of 'buf' in error path", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47663", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46832", " - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47668", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46744", " - Squashfs: sanity check symbolic link size", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46745", " - Input: uinput - reject requests with unreasonable number of slots", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46746", " - HID: amd_sfh: free driver_data after destroying hid device", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47664", " - spi: hisi-kunpeng: Add verification for the max_frequency provided by the", " firmware", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47665", " - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46749", " - Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46750", " - PCI: Add missing bridge lock to pci_bus_lock()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46752", " - btrfs: replace BUG_ON() with error handling at update_ref_for_cow()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46840", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46755", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47666", " - scsi: pm80xx: Set phy->enable_completion only when we wait for it", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46843", " - scsi: ufs: core: Remove SCSI host only if added", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46760", " - wifi: rtw88: usb: schedule rx work after everything is set up", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46761", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46844", " - um: line: always fill *error_out in setup_one_line()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46762", " - xen: privcmd: Fix possible access to a freed kirqfd instance", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46763", " - fou: Fix null-ptr-deref in GRO.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46765", " - ice: protect XDP configuration with a mutex", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46767", " - net: phy: Fix missing of_node_put() for leds", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46768", " - hwmon: (hp-wmi-sensors) Check if WMI event data exists", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46770", " - ice: Add netif_device_attach/detach into PF reset flow", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46771", " - can: bcm: Remove proc entry when dev is unregistered.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46773", " - drm/amd/display: Check denominator pbn_div before used", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47667", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46835", " - drm/amdgpu: Fix smatch static checker warning", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46776", " - drm/amd/display: Run DC_LOG_DC after checking link->link_enc", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46836", " - usb: gadget: aspeed_udc: validate endpoint index for ast udc", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46777", " - udf: Avoid excessive partition lengths", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46825", " - wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46826", " - ELF: fix kernel.randomize_va_space double read", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46827", " - wifi: ath12k: fix firmware crash due to invalid peer nss", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47669", " - nilfs2: fix state management in error path of log writing function", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46780", " - nilfs2: protect references to superblock parameters exposed in sysfs", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46781", " - nilfs2: fix missing cleanup on rollforward recovery error", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46828", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46782", " - ila: call nf_unregister_net_hooks() sooner", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46783", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46784", " - net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46785", " - eventfs: Use list_del_rcu() for SRCU protected list variable", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46786", " - fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46787", " - userfaultfd: fix checks for huge PMDs", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46838", " - userfaultfd: don't BUG_ON() if khugepaged yanks our page table", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46845", " - tracing/timerlat: Only clear timer if a kthread exists", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46788", " - tracing/osnoise: Use a cpumask to know what threads are kthreads", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46846", " - spi: rockchip: Resolve unbalanced runtime PM / system PM handling", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46847", " - mm: vmalloc: ensure vmap_block is initialised before adding to queue", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46791", " - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46829", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46848", " - perf/x86/intel: Limit the period on Haswell", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46794", " - x86/tdx: Fix data leak in mmio_read()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46795", " - ksmbd: unset the binding mark of a reused connection", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46797", " - powerpc/qspinlock: Fix deadlock in MCS queue", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46830", " - KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46798", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46831", " - net: microchip: vcap: Fix use-after-free error in kunit test", " * Navi24 RX6300 light up issue on 6.8 kernel (LP: #2084513)", " - drm/amd/display: Ensure populate uclk in bb construction", " * Noble update: upstream stable patchset 2024-10-18 (LP: #2084941)", " - drm/fb-helper: Don't schedule_work() to flush frame buffer during panic()", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - scsi: ufs: core: Check LSDBS cap when !mcq", " - scsi: ufs: core: Bypass quick recovery if force reset is needed", " - btrfs: tree-checker: validate dref root and objectid", " - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown", " - ALSA: hda/conexant: Mute speakers at suspend / shutdown", " - ALSA: ump: Transmit RPN/NRPN message at each MSB/LSB data reception", " - ALSA: ump: Explicitly reset RPN with Null RPN", " - ALSA: seq: ump: Use the common RPN/bank conversion context", " - ALSA: seq: ump: Transmit RPN/NRPN message at each MSB/LSB data reception", " - ALSA: seq: ump: Explicitly reset RPN with Null RPN", " - net/mlx5: DR, Fix 'stack guard page was hit' error in dr_rule", " - ASoC: amd: yc: Support mic on HP 14-em0002la", " - spi: hisi-kunpeng: Add validation for the minimum value of speed_hz", " - i2c: Fix conditional for substituting empty ACPI functions", " - dma-debug: avoid deadlock between dma debug vs printk and netconsole", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - ASoC: amd: yc: Support mic on Lenovo Thinkpad E14 Gen 6", " - ASoC: codecs: ES8326: button detect issue", " - selftests: mptcp: userspace pm create id 0 subflow", " - selftests: mptcp: dump userspace addrs list", " - selftests: mptcp: userspace pm get addr tests", " - selftests: mptcp: declare event macros in mptcp_lib", " - selftests: mptcp: join: cannot rm sf if closed", " - selftests: mptcp: add explicit test case for remove/readd", " - selftests: mptcp: join: check re-using ID of unused ADD_ADDR", " - selftests: mptcp: join: check re-adding init endp with != id", " - selftests: mptcp: add mptcp_lib_events helper", " - selftests: mptcp: join: validate event numbers", " - selftests: mptcp: join: check re-re-adding ID 0 signal", " - selftests: mptcp: join: test for flush/re-add endpoints", " - selftests: mptcp: join: disable get and dump addr checks", " - selftests: mptcp: join: stop transfer when check is done (part 2.2)", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amd/display: Assign linear_pitch_alignment even for VM", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc", " - drm/amd/pm: fix uninitialized variable warning", " - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr", " - drm/amd/pm: fix warning using uninitialized value of max_vid_step", " - drm/amd/pm: Fix negative array index read", " - drm/amd/pm: fix the Out-of-bounds read warning", " - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr", " - drm/amdgpu: avoid reading vf2pf info size from FB", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check index for aux_rd_interval before using", " - drm/amd/display: Add array index check for hdcp ddc access", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Check msg_id before processing transcation", " - drm/amd/display: Fix Coverity INTERGER_OVERFLOW within", " construct_integrated_info", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amd/display: Spinlock before reading event", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " decide_fallback_link_setting_max_bw_policy", " - drm/amd/display: Ensure index calculation will not overflow", " - drm/amd/display: Skip inactive planes within", " ModeSupportAndSystemConfiguration", " - drm/amd/display: Fix index may exceed array range within", " fpu_update_bw_bounding_box", " - drm/amd/amdgpu: Check tbo resource pointer", " - drm/amd/pm: fix uninitialized variable warnings for vangogh_ppt", " - drm/amdgpu/pm: Fix uninitialized variable warning for smu10", " - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response", " - drm/amdgpu: Fix the uninitialized variable warning", " - drm/amdkfd: Check debug trap enable before write dbg_ev_file", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - wifi: ath12k: initialize 'ret' in ath12k_qmi_load_file_target_mem()", " - wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem()", " - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy", " SOCs", " - drm/amdgpu: Fix the warning division or modulo by zero", " - drm/amdgpu: fix dereference after null check", " - drm/amdgpu: fix the waring dereferencing hive", " - drm/amd/pm: check specific index for aldebaran", " - drm/amd/pm: check specific index for smu13", " - drm/amdgpu: the warning dereferencing obj for nbio_v7_4", " - drm/amd/pm: check negtive return for table entries", " - wifi: rtw89: ser: avoid multiple deinit on same CAM", " - drm/kfd: Correct pinned buffer handling at kfd restore and validate process", " - drm/amdgpu: update type of buf size to u32 for eeprom functions", " - wifi: iwlwifi: remove fw_running op", " - cpufreq: scmi: Avoid overflow of target_freq in fast switch", " - PCI: al: Check IORESOURCE_BUS existence during probe", " - wifi: mac80211: check ieee80211_bss_info_change_notify() against MLD", " - hwspinlock: Introduce hwspin_lock_bust()", " - soc: qcom: smem: Add qcom_smem_bust_hwspin_lock_by_host()", " - RDMA/efa: Properly handle unexpected AQ completions", " - ionic: fix potential irq name truncation", " - pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode.", " - rcu/nocb: Remove buggy bypass lock contention mitigation", " - media: v4l2-cci: Always assign *val", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - fsnotify: clear PARENT_WATCHED flags lazily", " - net: remove NULL-pointer net parameter in ip_metrics_convert", " - drm/amdgu: fix Unintentional integer overflow for mall size", " - regmap: spi: Fix potential off-by-one when calculating reserved size", " - smack: tcp: ipv4, fix incorrect labeling", " - platform/chrome: cros_ec_lpc: MEC access can use an AML mutex", " - net/mlx5e: SHAMPO, Fix incorrect page release", " - drm/meson: plane: Add error handling", " - crypto: stm32/cryp - call finalize with bh disabled", " - gfs2: Revert \"Add quota_change type\"", " - drm/bridge: tc358767: Check if fully initialized before signalling HPD event", " via IRQ", " - dmaengine: altera-msgdma: use irq variant of spin_lock/unlock while invoking", " callbacks", " - dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor", " - hwmon: (k10temp) Check return value of amd_smn_read()", " - wifi: cfg80211: make hash table duplicates more survivable", " - f2fs: fix to do sanity check on blocks for inline_data inode", " - driver: iio: add missing checks on iio_info's callback access", " - block: remove the blk_flush_integrity call in blk_integrity_unregister", " - drm/amdgpu: add skip_hw_access checks for sriov", " - drm/amdgpu: add lock in amdgpu_gart_invalidate_tlb", " - drm/amdgpu: add lock in kfd_process_dequeue_from_device", " - drm/amd/display: Don't use fsleep for PSR exit waits on dmub replay", " - drm/amd/display: added NULL check at start of dc_validate_stream", " - drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX", " - drm/amd/display: use preferred link settings for dp signal only", " - drm/amd/display: Check BIOS images before it is used", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - virtio_net: Fix napi_skb_cache_put warning", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - btrfs: factor out stripe length calculation into a helper", " - btrfs: scrub: update last_physical after scrubbing one stripe", " - btrfs: fix qgroup reserve leaks in cow_file_range", " - virtio-net: check feature before configuring the vq coalescing command", " - drm/amd/display: Handle the case which quad_part is equal 0", " - drm/amdgpu: Handle sg size limit for contiguous allocation", " - drm/amd/pm: fix uninitialized variable warning for smu_v13", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amd/display: Ensure array index tg_inst won't be -1", " - drm/amd/display: handle invalid connector indices", " - drm/amd/display: Increase MAX_LINKS by 2", " - drm/amd/display: Stop amdgpu_dm initialize when link nums greater than", " max_links", " - drm/amd/display: Fix incorrect size calculation for loop", " - drm/amd/display: Use kcalloc() instead of kzalloc()", " - drm/amd/display: Add missing NULL pointer check within", " dpcd_extend_address_range", " - drm/amd/display: Release state memory if amdgpu_dm_create_color_properties", " fail", " - drm/amd/display: Check link_index before accessing dc->links[]", " - drm/amd/display: Add otg_master NULL check within", " resource_log_pipe_topology_update", " - drm/amd/display: Release clck_src memory if clk_src_construct fails", " - drm/amd/display: Fix writeback job lock evasion within dm_crtc_high_irq", " - drm/xe: Demote CCS_MODE info to debug only", " - drm/drm-bridge: Drop conditionals around of_node pointers", " - drm/amdgpu: fix uninitialized variable warning for amdgpu_xgmi", " - drm/amdgpu: fix uninitialized variable warning for jpeg_v4", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_info_ioctl", " - wifi: ath12k: initialize 'ret' in ath12k_dp_rxdma_ring_sel_config_wcn7850()", " - drm/amdgpu/pm: Check input value for power profile setting on smu11, smu13", " and smu14", " - drm/xe: Fix the warning conditions", " - drm/amd/display: Fix pipe addition logic in calc_blocks_to_ungate DCN35", " - wifi: cfg80211: restrict operation during radar detection", " - remoteproc: qcom_q6v5_pas: Add hwspinlock bust on stop", " - tcp: annotate data-races around tw->tw_ts_recent and tw->tw_ts_recent_stamp", " - drm/xe: Don't overmap identity VRAM mapping", " - net: tcp/dccp: prepare for tw_timer un-pinning", " - drm/xe: Ensure caller uses sole domain for xe_force_wake_assert_held", " - drm/xe: Check valid domain is passed in xe_force_wake_ref", " - thermal: trip: Use READ_ONCE() for lockless access to trip properties", " - drm/xe: Add GuC state asserts to deregister_exec_queue", " - drm/amdgpu: fix overflowed constant warning in mmhub_set_clockgating()", " - drm/amd/display: Remove register from DCN35 DMCUB diagnostic collection", " - drm/amd/display: Disable DMCUB timeout for DCN35", " - drm/amd/display: Avoid overflow from uint32_t to uint8_t", " - pinctrl: core: reset gpio_device in loop in pinctrl_pins_show()", " - Upstream stable to v6.6.50, v6.10.9", " * CVE-2024-46747", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " * CVE-2024-46725", " - drm/amdgpu: Fix out-of-bounds write warning", " * CVE-2024-46724", " - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number", " * [SRU] Fix AST DP output after resume (LP: #2083022)", " - drm/ast: Inline drm_simple_encoder_init()", " - drm/ast: Implement atomic enable/disable for encoders", " - drm/ast: Program mode for AST DP in atomic_mode_set", " - drm/ast: Move mode-setting code into mode_set_nofb CRTC helper", " - drm/ast: Handle primary-plane format setup in atomic_update", " - drm/ast: Remove gamma LUT updates from DPMS code", " - drm/ast: Only set VGA SCREEN_DISABLE bit in CRTC code", " - drm/ast: Inline ast_crtc_dpms() into callers", " - drm/ast: Use drm_atomic_helper_commit_tail() helper", " * UBSAN array-index-out-of-bounds reported with N-6.8 on P9 node baltar", " (LP: #2078038)", " - scripts/kernel-doc: reindent", " - compiler_types: add Endianness-dependent __counted_by_{le, be}", " - scsi: aacraid: union aac_init: Replace 1-element array with flexible array", " - scsi: aacraid: struct aac_ciss_phys_luns_resp: Replace 1-element array with", " flexible array", " - scsi: aacraid: Rearrange order of struct aac_srb_unit", " - scsi: aacraid: struct {user, }sgmap{, 64, raw}: Replace 1-element arrays", " with flexible arrays", " * r8169: transmit queue 0 timed out error when re-plugging the Ethernet cable", " (LP: #2084526)", " - r8169: disable ALDPS per default for RTL8125", " * [SRU] cpufreq: intel_pstate: Support Emerald Rapids OOB mode (LP: #2084834)", " - cpufreq: intel_pstate: Support Emerald Rapids OOB mode", " * CVE-2024-46723", " - drm/amdgpu: fix ucode out-of-bounds read warning", " * CVE-2024-46743", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " * CVE-2024-46757", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " * [SRU] Ubuntu 24.04 - GPU cannot be installed with DL380a Gen12 (2P, SRF-SP)", " (LP: #2081079)", " - perf/x86/uncore: Save the unit control address of all units", " - perf/x86/uncore: Support per PMU cpumask", " - perf/x86/uncore: Retrieve the unit ID from the unit control RB tree", " - perf/x86/uncore: Apply the unit control RB tree to MMIO uncore units", " - perf/x86/uncore: Apply the unit control RB tree to MSR uncore units", " - perf/x86/uncore: Apply the unit control RB tree to PCI uncore units", " - perf/x86/uncore: Cleanup unused unit structure", " - perf/x86/intel/uncore: Support HBM and CXL PMON counters", " * Noble update: upstream stable patchset 2024-10-11 (LP: #2084225)", " - ALSA: seq: Skip event type filtering for UMP events", " - LoongArch: Remove the unused dma-direct.h", " - btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()", " - btrfs: run delayed iputs when flushing delalloc", " - smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()", " - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: wfx: repair open network AP mode", " - wifi: mwifiex: duplicate static structs used in driver instances", " - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response", " - mptcp: close subflow when receiving TCP+FIN", " - mptcp: sched: check both backup in retrans", " - mptcp: pm: reuse ID 0 after delete and re-add", " - mptcp: pm: skip connecting to already established sf", " - mptcp: pm: reset MPC endp ID when re-added", " - mptcp: pm: send ACK on an active subflow", " - mptcp: pm: do not remove already closed subflows", " - mptcp: pm: fix ID 0 endp usage after multiple re-creations", " - mptcp: pm: ADD_ADDR 0 is not a new address", " - selftests: mptcp: join: check removing ID 0 endpoint", " - selftests: mptcp: join: no extra msg if no counter", " - selftests: mptcp: join: check re-re-adding ID 0 endp", " - drm/amdgpu/swsmu: always force a state reprogram on init", " - drm/vmwgfx: Fix prime with external buffers", " - usb: typec: fix up incorrectly backported \"usb: typec: tcpm: unregister", " existing source caps before re-registration\"", " - ASoC: amd: acp: fix module autoloading", " - ASoC: SOF: amd: Fix for acp init sequence", " - pinctrl: mediatek: common-v2: Fix broken bias-disable for", " PULL_PU_PD_RSEL_TYPE", " - pinctrl: starfive: jh7110: Correct the level trigger configuration of iev", " register", " - ovl: pass string to ovl_parse_layer()", " - ovl: fix wrong lowerdir number check for parameter Opt_lowerdir", " - ovl: ovl_parse_param_lowerdir: Add missed '\\n' for pr_err", " - mm: Fix missing folio invalidation calls during truncation", " - cifs: Fix FALLOC_FL_PUNCH_HOLE support", " - selinux,smack: don't bypass permissions check in inode_setsecctx hook", " - iommufd: Do not allow creating areas without READ or WRITE", " - phy: fsl-imx8mq-usb: fix tuning parameter name", " - dmaengine: dw-edma: Fix unmasking STOP and ABORT interrupts for HDMA", " - dmaengine: dw-edma: Do not enable watermark interrupts for HDMA", " - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume", " - dmaengine: dw: Add peripheral bus width verification", " - dmaengine: dw: Add memory bus width verification", " - Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test", " - Bluetooth: btnxpuart: Handle FW Download Abort scenario", " - Bluetooth: btnxpuart: Fix random crash seen while removing driver", " - Bluetooth: hci_core: Fix not handling hibernation actions", " - iommu: Do not return 0 from map_pages if it doesn't do anything", " - netfilter: nf_tables: restore IP sanity checks for netdev/egress", " - wifi: iwlwifi: fw: fix wgds rev 3 exact size", " - ethtool: check device is present when getting link settings", " - netfilter: nf_tables_ipv6: consider network offset in netdev/egress", " validation", " - selftests: forwarding: no_forwarding: Down ports on cleanup", " - selftests: forwarding: local_termination: Down ports on cleanup", " - bonding: implement xdo_dev_state_free and call it after deletion", " - bonding: extract the use of real_device into local variable", " - bonding: change ipsec_lock from spin lock to mutex", " - gtp: fix a potential NULL pointer dereference", " - sctp: fix association labeling in the duplicate COOKIE-ECHO case", " - drm/amd/display: avoid using null object of framebuffer", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - soc: qcom: pmic_glink: Actually communicate when remote goes down", " - soc: qcom: pmic_glink: Fix race during initialization", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - scsi: sd: Ignore command SYNCHRONIZE CACHE error if format in progress", " - USB: serial: option: add MeiG Smart SRM825L", " - ARM: dts: imx6dl-yapp43: Increase LED current to match the yapp4 HW design", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function", " - usb: cdnsp: fix for Link TRB with TC", " - ARM: dts: omap3-n900: correct the accelerometer orientation", " - arm64: dts: imx8mp-beacon-kit: Fix Stereo Audio on WM8962", " - arm64: dts: imx93: add nvmem property for fec1", " - arm64: dts: imx93: add nvmem property for eqos", " - arm64: dts: imx93: update default value for snps,clk-csr", " - arm64: dts: freescale: imx93-tqma9352: fix CMA alloc-ranges", " - arm64: dts: freescale: imx93-tqma9352-mba93xxla: fix typo", " - scsi: aacraid: Fix double-free on probe failure", " - apparmor: fix policy_unpack_test on big endian systems", " - mptcp: pr_debug: add missing \\n at the end", " - mptcp: make pm_remove_addrs_and_subflows static", " - mptcp: pm: fix RM_ADDR ID for the initial subflow", " - mptcp: avoid duplicated SUB_CLOSED events", " - drm/i915/dsi: Make Lenovo Yoga Tab 3 X90F DMI match less strict", " - drm/vmwgfx: Prevent unmapping active read buffers", " - drm/vmwgfx: Disable coherent dumb buffers without 3d", " - firmware/sysfb: Set firmware-framebuffer parent device", " - firmware/sysfb: Create firmware device only for enabled PCI devices", " - video/aperture: optionally match the device in sysfb_disable()", " - drm/xe: Prepare display for D3Cold", " - drm/xe/display: Make display suspend/resume work on discrete", " - drm/xe/vm: Simplify if condition", " - drm/xe/exec_queue: Rename xe_exec_queue::compute to xe_exec_queue::lr", " - drm/xe: prevent UAF around preempt fence", " - pinctrl: qcom: x1e80100: Update PDC hwirq map", " - ASoC: SOF: amd: move iram-dram fence register programming sequence", " - nfsd: ensure that nfsd4_fattr_args.context is zeroed out", " - backing-file: convert to using fops->splice_write", " - pinctrl: qcom: x1e80100: Fix special pin offsets", " - afs: Fix post-setattr file edit to do truncation correctly", " - netfs: Fix netfs_release_folio() to say no if folio dirty", " - netfs: Fix missing iterator reset on retry of short read", " - dmaengine: ti: omap-dma: Initialize sglen after allocation", " - pktgen: use cpus_read_lock() in pg_net_init()", " - net_sched: sch_fq: fix incorrect behavior for small weights", " - tcp: fix forever orphan socket caused by tcp_abort", " - drm/xe/hwmon: Fix WRITE_I1 param from u32 to u16", " - usb: typec: fsa4480: Relax CHIP_ID check", " - firmware: qcom: scm: Mark get_wq_ctx() as atomic call", " - usb: gadget: uvc: queue pump work in uvcg_video_enable()", " - usb: dwc3: xilinx: add missing depopulate in probe error path", " - usb: typec: ucsi: Move unregister out of atomic section", " - firmware: microchip: fix incorrect error report of programming:timeout on", " success", " - Upstream stable to v6.6.49, v6.10.8", " * Fix blank screen on external display after reconnecting the USB type-C", " (LP: #2081786) // Noble update: upstream stable patchset 2024-10-11", " (LP: #2084225)", " - drm/i915/display: add intel_display -> drm_device backpointer", " - drm/i915/display: add generic to_intel_display() macro", " - drm/i915/dp_mst: Fix MST state after a sink reset", " * Noble update: upstream stable patchset 2024-10-09 (LP: #2084005)", " - tty: serial: fsl_lpuart: mark last busy before uart_add_one_port", " - tty: atmel_serial: use the correct RTS flag.", " - Revert \"ACPI: EC: Evaluate orphan _REG under EC device\"", " - Revert \"misc: fastrpc: Restrict untrusted app to attach to privileged PD\"", " - Revert \"usb: typec: tcpm: clear pd_event queue in PORT_RESET\"", " - selinux: revert our use of vma_is_initial_heap()", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - char: xillybus: Don't destroy workqueue from work item running on it", " - char: xillybus: Refine workqueue handling", " - char: xillybus: Check USB endpoints when probing device", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - thunderbolt: Mark XDomain as unplugged when router is removed", " - ALSA: hda/tas2781: fix wrong calibrated data order", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - KVM: s390: fix validity interception issue when gisa is switched off", " - riscv: change XIP's kernel_map.size to be size of the entire kernel", " - i2c: tegra: Do not mark ACPI devices as irq safe", " - ACPICA: Add a depth argument to acpi_execute_reg_methods()", " - ACPI: EC: Evaluate _REG outside the EC scope more carefully", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume", " - rtla/osnoise: Prevent NULL dereference in error handling", " - net: mana: Fix RX buf alloc_size alignment and atomic op panic", " - net: mana: Fix doorbell out of order violation and avoid unnecessary", " doorbell rings", " - wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - selinux: add the processing of the failure of avc_add_xperms_decision()", " - mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu", " - btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type", " - btrfs: zoned: properly take lock to read/update block group's zoned", " variables", " - btrfs: tree-checker: add dev extent item checks", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - drm/amdgpu/jpeg2: properly set atomics vmid field", " - drm/amdgpu/jpeg4: properly set atomics vmid field", " - s390/uv: Panic for set and remove shared access UVC errors", " - bpf: Fix updating attached freplace prog in prog_array map", " - igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer", " - igc: Fix qbv_config_change_errors logics", " - igc: Fix reset adapter logics when tx mode change", " - net/mlx5e: Take state lock during tx timeout reporter", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: dsa: vsc73xx: use read_poll_timeout instead delay loop", " - net: dsa: vsc73xx: check busy flag in MDIO operations", " - net: ethernet: mtk_wed: fix use-after-free panic in", " mtk_wed_setup_tc_block_cb()", " - mlxbf_gige: disable RX filters until RX path initialized", " - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size", " - tcp: Update window clamping condition", " - netfilter: allow ipv6 fragments to arrive on different devices", " - netfilter: flowtable: initialise extack before use", " - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks", " - netfilter: nf_tables: Audit log dump reset after the fact", " - netfilter: nf_tables: Introduce nf_tables_getobj_single", " - netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests", " - vsock: fix recursive ->recvmsg calls", " - selftests: net: lib: ignore possible errors", " - selftests: net: lib: kill PIDs before del netns", " - net: hns3: fix wrong use of semaphore up", " - net: hns3: use the user's cfg after reset", " - net: hns3: fix a deadlock problem when config TC during resetting", " - gpio: mlxbf3: Support shutdown() function", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - rust: work around `bindgen` 0.69.0 issue", " - rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT", " - rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT", " - cpu/SMT: Enable SMT only if a core is online", " - powerpc/topology: Check if a core is online", " - arm64: Fix KASAN random tag seed initialization", " - block: Fix lockdep warning in blk_mq_mark_tag_wait", " - wifi: ath12k: Add missing qmi_txn_cancel() calls", " - quota: Remove BUG_ON from dqget()", " - riscv: blacklist assembly symbols for kprobe", " - kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - media: drivers/media/dvb-core: copy user arrays safely", " - wifi: iwlwifi: mvm: avoid garbage iPN", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - gpio: sysfs: extend the critical section for unregistering sysfs devices", " - hrtimer: Select housekeeping CPU during migration", " - virtiofs: forbid newlines in tags", " - accel/habanalabs: fix debugfs files permissions", " - clocksource/drivers/arm_global_timer: Guard against division by zero", " - tick: Move got_idle_tick away from common flags", " - netlink: hold nlk->cb_mutex longer in __netlink_dump_start()", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - memory: stm32-fmc2-ebi: check regmap_read return value", " - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367", " - rxrpc: Don't pick values out of the wire header when setting up security", " - f2fs: stop checkpoint when get a out-of-bounds segment", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item()", " - btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves()", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: push errors up from add_async_extent()", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: send: handle unexpected inode in header process_recorded_refs()", " - btrfs: change BUG_ON to assertion in tree_move_down()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid", " - rtc: nct3018y: fix possible NULL dereference", " - net: hns3: add checking for vf id of mailbox", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time", " - platform/x86: lg-laptop: fix %s null argument warning", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - selftests/bpf: Fix a few tests for GCC related warnings.", " - Revert \"bpf, sockmap: Prevent lock inversion deadlock in map delete elem\"", " - nvme: use srcu for iterating namespace list", " - drm/amdgpu: fix dereference null return value for the function", " amdgpu_vm_pt_parent", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - nvme: fix namespace removal list", " - gtp: pull network headers in gtp_dev_xmit()", " - riscv: entry: always initialize regs->a0 to -ENOSYS", " - smb3: fix lock breakage for cached writes", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - selftests: memfd_secret: don't build memfd_secret test on unsupported arches", " - mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order", " fallback to order 0", " - btrfs: send: allow cloning non-aligned extent if it ends at i_size", " - drm/amd/amdgpu: command submission parser for JPEG", " - platform/surface: aggregator: Fix warning when controller is destroyed in", " probe", " - ALSA: hda/tas2781: Use correct endian conversion", " - Bluetooth: hci_core: Fix LE quote calculation", " - Bluetooth: SMP: Fix assumption of Central always being Initiator", " - net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and", " register injection", " - net: mscc: ocelot: fix QoS class for injected packets with \"ocelot-8021q\"", " - net: mscc: ocelot: serialize access to the injection/extraction groups", " - tc-testing: don't access non-existent variable on exception", " - selftests: udpgro: report error when receive failed", " - tcp/dccp: bypass empty buckets in inet_twsk_purge()", " - tcp/dccp: do not care about families in inet_twsk_purge()", " - tcp: prevent concurrent execution of tcp_sk_exit_batch", " - net: mctp: test: Use correct skb for route input check", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Disable BH in nft_counter_offload_stats().", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - ip6_tunnel: Fix broken GRO", " - bonding: fix bond_ipsec_offload_ok return type", " - bonding: fix null pointer deref in bond_ipsec_offload_ok", " - bonding: fix xfrm real_dev null pointer dereference", " - bonding: fix xfrm state handling when clearing active slave", " - ice: fix page reuse when PAGE_SIZE is over 8k", " - ice: fix ICE_LAST_OFFSET formula", " - ice: fix truesize operations for PAGE_SIZE >= 8192", " - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()", " - igb: cope with large MAX_SKB_FRAGS", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - udp: fix receiving fraglist GSO packets", " - ipv6: fix possible UAF in ip6_finish_output2()", " - ipv6: prevent possible UAF in ip6_xmit()", " - bnxt_en: Fix double DMA unmapping for XDP_REDIRECT", " - netfilter: flowtable: validate vlan header", " - octeontx2-af: Fix CPT AF register offset calculation", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - net: ovs: fix ovs_drop_reasons error", " - drm/msm/dpu: don't play tricks with debug macros", " - drm/msm/dp: fix the max supported bpp logic", " - drm/msm/dpu: split dpu_encoder_wait_for_event into two functions", " - drm/msm/dpu: capture snapshot on the first commit_done timeout", " - drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()", " - drm/msm/dp: reset the link phy params before link training", " - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails", " - drm/msm/dpu: take plane rotation into account for wide planes", " - drm/msm: fix the highest_bank_bit for sc7180", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - scsi: core: Fix the return value of scsi_logical_block_count()", " - ksmbd: the buffer of smb2 query dir response has at least 1 byte", " - drm/amdgpu: Validate TA binary size", " - net: dsa: microchip: fix PTP config failure when using multiple ports", " - MIPS: Loongson64: Set timer mode in cpu-probe", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - Input: i8042 - add forcenorestore quirk to leave controller untouched even", " on s3", " - Input: i8042 - use new forcenorestore quirk to replace old buggy quirk", " combination", " - cxgb4: add forgotten u64 ivlan cast before shift", " - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3", " - mmc: mtk-sd: receive cmd8 data when hs400 tuning fail", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - smb3: fix broken cached reads when posix locks", " - pmdomain: imx: scu-pd: Remove duplicated clocks", " - pmdomain: imx: wait SSAR when i.MX93 power domain on", " - nouveau/firmware: use dma non-coherent allocator", " - mptcp: pm: re-using ID of unused removed ADD_ADDR", " - mptcp: pm: re-using ID of unused removed subflows", " - mptcp: pm: re-using ID of unused flushed subflows", " - mptcp: pm: remove mptcp_pm_remove_subflow()", " - mptcp: pm: only mark 'subflow' endp as available", " - mptcp: pm: only decrement add_addr_accepted for MPJ req", " - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR", " - mptcp: pm: only in-kernel cannot have entries with ID 0", " - mptcp: pm: fullmesh: select the right ID later", " - mptcp: pm: avoid possible UaF when selecting endp", " - selftests: mptcp: join: validate fullmesh endp on 1st sf", " - selftests: mptcp: join: restrict fullmesh endp on 1st sf", " - selftests: mptcp: join: check re-using ID of closed subflow", " - tcp: do not export tcp_twsk_purge()", " - drm/msm/mdss: specify cfg bandwidth for SDM670", " - drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels", " - igc: Fix qbv tx latency by setting gtxoffset", " - ALSA: timer: Relax start tick time check for slave timer elements", " - bpf: Fix a kernel verifier crash in stacksafe()", " - selftests/bpf: Add a test to verify previous stacksafe() fix", " - Revert \"s390/dasd: Establish DMA alignment\"", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - Revert \"serial: 8250_omap: Set the console genpd always on if no console", " suspend\"", " - usb: misc: ljca: Add Lunar Lake ljca GPIO HID to ljca_gpio_hids[]", " - usb: xhci: Check for xhci->interrupters being allocated in", " xhci_mem_clearup()", " - vfs: Don't evict inode under the inode lru traversing context", " - tracing: Return from tracing_buffers_read() if the file has been closed", " - mm: fix endless reclaim on machines with unaccepted memory", " - fs/netfs/fscache_cookie: add missing \"n_accesses\" check", " - mm/numa: no task_numa_fault() call if PMD is changed", " - mm/numa: no task_numa_fault() call if PTE is changed", " - btrfs: check delayed refs when we're checking if a ref exists", " - drm/amd/display: Adjust cursor position", " - drm/amd/display: fix s2idle entry for DCN3.5+", " - drm/amd/display: Enable otg synchronization logic for DCN321", " - drm/amd/display: fix cursor offset on rotation 180", " - netfs: Fault in smaller chunks for non-large folio mappings", " - libfs: fix infinite directory reads for offset dir", " - kallsyms: Avoid weak references for kallsyms symbols", " - kbuild: avoid unneeded kallsyms step 3", " - kbuild: refactor variables in scripts/link-vmlinux.sh", " - kbuild: remove PROVIDE() for kallsyms symbols", " - kallsyms: get rid of code for absolute kallsyms", " - [Config] Remove CONFIG_KALLSYMS_BASE_RELATIVE", " - kallsyms: Do not cleanup .llvm. suffix before sorting symbols", " - bpf: Replace deprecated strncpy with strscpy", " - kallsyms: replace deprecated strncpy with strscpy", " - kallsyms: rework symbol lookup return codes", " - kallsyms: Match symbols exactly with CONFIG_LTO_CLANG", " - drm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()`", " - drm/amd/display: Don't register panel_power_savings on OLED panels", " - wifi: ath12k: use 128 bytes aligned iova in transmit path for WCN7850", " - kbuild: merge temporary vmlinux for BTF and kallsyms", " - kbuild: avoid scripts/kallsyms parsing /dev/null", " - Bluetooth: HCI: Invert LE State quirk to be opt-out rather then opt-in", " - net/mlx5: Fix IPsec RoCE MPV trace call", " - selftests: udpgro: no need to load xdp for gro", " - ice: use internal pf id instead of function number", " - drm/msm/dpu: limit QCM2290 to RGB formats only", " - drm/msm/dpu: relax YUV requirements", " - spi: spi-cadence-quadspi: Fix OSPI NOR failures during system resume", " - drm/xe/display: stop calling domains_driver_remove twice", " - drm/xe: Fix opregion leak", " - drm/xe/mmio: move mmio_fini over to devm", " - drm/xe: reset mmio mappings with devm", " - drm/xe: Fix tile fini sequence", " - drm/xe: Fix missing workqueue destroy in xe_gt_pagefault", " - drm/xe: Free job before xe_exec_queue_put", " - thermal/debugfs: Fix the NULL vs IS_ERR() confusion in debugfs_create_dir()", " - nvme: move stopping keep-alive into nvme_uninit_ctrl()", " - drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1", " - s390/ap: Refine AP bus bindings complete processing", " - net: ngbe: Fix phy mode set to external phy", " - iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace()", " - cgroup/cpuset: fix panic caused by partcmd_update", " - cgroup/cpuset: Clear effective_xcpus on cpus_allowed clearing only if", " cpus.exclusive not set", " - of: Introduce for_each_*_child_of_node_scoped() to automate of_node_put()", " handling", " - thermal: of: Fix OF node leak in thermal_of_trips_init() error path", " - thermal: of: Fix OF node leak in thermal_of_zone_register()", " - thermal: of: Fix OF node leak in of_thermal_zone_find() error paths", " - Upstream stable to v6.6.48, v6.10.7", " * Unable to list directories using CIFS on 6.8 kernel (LP: #2082423) // Noble", " update: upstream stable patchset 2024-10-09 (LP: #2084005)", " - smb: client: ignore unhandled reparse tags", " * CVE-2024-46759", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " * CVE-2024-46758", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " * CVE-2024-46756", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " * CVE-2024-46738", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " * CVE-2024-46722", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " * LXD fan bridge causes blocked tasks (LP: #2064176)", " - SAUCE: fan: release rcu_read_lock on skb discard path", " - SAUCE: fan: fix racy device stat update", " * x86/CPU/AMD: Add models 0x10-0x1f to the Zen5 range (LP: #2081863)", " - x86/CPU/AMD: Add models 0x60-0x6f to the Zen5 range", " * UBSAN: array-index-out-of-bounds in module mt76 (LP: #2081785)", " - wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc", " * The system hangs after resume with thunderbolt monitor(AMD GPU [1002:1900])", " (LP: #2083182)", " - SAUCE: drm/amd/display: Fix system hang while resume with TBT monitor", " * [SRU] GPU: support additional device ids for DG2 driver (LP: #2083701)", " - drm/i915: Add new PCI IDs to DG2 platform in driver", " * [SRU]Intel Arrow Lake IBECC feature backport request for ubuntu 22.04.5 and", " 24.04.1 server (LP: #2077861)", " - EDAC/igen6: Add Intel Arrow Lake-U/H SoCs support", " * Noble update: upstream stable patchset 2024-10-07 (LP: #2083794)", " - ASoC: topology: Clean up route loading", " - ASoC: topology: Fix route memory corruption", " - LoongArch: Define __ARCH_WANT_NEW_STAT in unistd.h", " - sunrpc: don't change ->sv_stats if it doesn't exist", " - nfsd: stop setting ->pg_stats for unused stats", " - sunrpc: pass in the sv_stats struct through svc_create_pooled", " - sunrpc: remove ->pg_stats from svc_program", " - nfsd: remove nfsd_stats, make th_cnt a global counter", " - nfsd: make svc_stat per-network namespace instead of global", " - mm: gup: stop abusing try_grab_folio", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - genirq/cpuhotplug: Skip suspended interrupts when restoring affinity", " - genirq/cpuhotplug: Retry with cpu_online_mask when migration fails", " - quota: Detect loops in quota tree", " - bpf: Replace bpf_lpm_trie_key 0-length array with flexible array", " - fs: Annotate struct file_handle with __counted_by() and use struct_size()", " - mISDN: fix MISDN_TIME_STAMP handling", " - mm/page_table_check: support userfault wr-protect entries", " - bpf, net: Use DEV_STAT_INC()", " - f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC", " - f2fs: fix to cover read extent cache access with lock", " - fou: remove warn in gue_gro_receive on unsupported protocol", " - jfs: fix null ptr deref in dtInsertEntry", " - jfs: Fix shift-out-of-bounds in dbDiscardAG", " - fs/ntfs3: Do copy_to_user out of run_lock", " - ALSA: usb: Fix UBSAN warning in parse_audio_unit()", " - binfmt_flat: Fix corruption when not offsetting data start", " - mm/debug_vm_pgtable: drop RANDOM_ORVALUE trick", " - KVM: arm64: Don't defer TLB invalidation when zapping table entries", " - KVM: arm64: Don't pass a TLBI level hint when zapping table entries", " - drm/amd/display: Defer handling mst up request in resume", " - drm/amd/display: Guard cursor idle reallow by DC debug option", " - drm/amd/display: Separate setting and programming of cursor", " - drm/amd/display: Prevent IPX From Link Detect and Set Mode", " - ASoC: cs35l56: Patch CS35L56_IRQ1_MASK_18 to the default value", " - platform/x86/amd/pmf: Fix to Update HPD Data When ALS is Disabled", " - platform/x86: ideapad-laptop: introduce a generic notification chain", " - platform/x86: ideapad-laptop: move ymc_trigger_ec from lenovo-ymc", " - platform/x86: ideapad-laptop: add a mutex to synchronize VPC commands", " - drm/amd/display: Solve mst monitors blank out problem after resume", " - drm/amdgpu/display: Fix null pointer dereference in", " dc_stream_program_cursor_position", " - Upstream stable to v6.6.47, v6.10.6", " * Noble update: upstream stable patchset 2024-10-04 (LP: #2083656)", " - irqchip/mbigen: Fix mbigen node address layout", " - platform/x86/intel/ifs: Initialize union ifs_status to zero", " - jump_label: Fix the fix, brown paper bags galore", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - x86/mm: Fix pti_clone_entry_text() for i386", " - smb: client: move most of reparse point handling code to common file", " - smb: client: set correct d_type for reparse DFS/DFSR and mount point", " - smb: client: handle lack of FSCTL_GET_REPARSE_POINT support", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: bridge: mcast: wait for previous gc cycles when removing port", " - net: linkwatch: use system_unbound_wq", " - ice: Fix reset handler", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv", " monitor", " - net/smc: add the max value of fallback reason count", " - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()", " - l2tp: fix lockdep splat", " - net: bcmgenet: Properly overlay PHY and MAC Wake-on-LAN capabilities", " - net: fec: Stop PPS on driver remove", " - gpio: prevent potential speculation leaks in gpio_device_get_desc()", " - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu", " - rcutorture: Fix rcu_torture_fwd_cb_cr() data race", " - md: do not delete safemode_timer in mddev_suspend", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - block: change rq_integrity_vec to respect the iterator", " - rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - xen: privcmd: Switch from mutex to spinlock for irqfds", " - wifi: nl80211: disallow setting special AP channel widths", " - wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup()", " - net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - af_unix: Don't retry after unix_state_lock_nested() in", " unix_stream_connect().", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index", " erratum", " - can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of", " mcp2518fd", " - net: stmmac: qcom-ethqos: enable SGMII loopback during DMA reset on", " sa8775p-ride-r3", " - btrfs: do not clear page dirty inside extent_write_locked_range()", " - btrfs: fix invalid mapping of extent xarray state", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver", " unloading", " - drm/amd/display: Add delay to improve LTTPR UHBR interop", " - drm/amdgpu: fix potential resource leak warning", " - drm/amdgpu/pm: Fix the param type of set_power_profile_mode", " - drm/amdgpu/pm: Fix the null pointer dereference for smu7", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules", " - drm/admgpu: fix dereferencing null pointer context", " - drm/amdgpu: Add lock around VF RLCG interface", " - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr", " - media: amphion: Remove lock in s_ctrl callback", " - drm/amd/display: Add null checker before passing variables", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - media: xc2028: avoid use-after-free in load_firmware_cb()", " - ext4: fix uninitialized variable in ext4_inlinedir_to_tree", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - profiling: remove profile=sleep support", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to", " 'raw_spinlock_t'", " - irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq()", " - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime", " - net: drop bad gso csum_start and offset in virtio_net_hdr", " - arm64: Add Neoverse-V2 part", " - arm64: barrier: Restore spec_bar() macro", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Improve handling of stuck alerts", " - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask", " - ASoC: codecs: wsa881x: Correct Soundwire ports mask", " - ASoC: codecs: wsa883x: parse port-mapping information", " - ASoC: codecs: wsa883x: Correct Soundwire ports mask", " - ASoC: codecs: wsa884x: parse port-mapping information", " - ASoC: codecs: wsa884x: Correct Soundwire ports mask", " - ASoC: sti: add missing probe entry for player and reader", " - spi: spidev: Add missing spi_device_id for bh2228fv", " - ASoC: SOF: Remove libraries from topology lookups", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - kprobes: Fix to check symbol prefixes correctly", " - i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume", " - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - ALSA: usb-audio: Re-add ScratchAmp quirk entries", " - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT", " - cifs: cifs_inval_name_dfs_link_error: correct the check for fullpath", " - module: warn about excessively long module waits", " - module: make waiting for a concurrent module loader interruptible", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - drm/amd/display: Skip Recompute DSC Params if no Stream on Link", " - drm/amdgpu: Forward soft recovery errors to userspace", " - drm/i915/gem: Adjust vma offset for framebuffer mmap offset", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - usb: gadget: midi2: Fix the response for FB info with block 0xff", " - usb: gadget: u_serial: Set start_delayed during suspend", " - usb: gadget: u_audio: Check return codes from usb_ep_enable and", " config_ep_by_speed.", " - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES", " - scsi: ufs: core: Do not set link to OFF state while waking up from", " hibernation", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler", " - ntp: Clamp maxerror and esterror to operating range", " - clocksource: Scale the watchdog read retries automatically", " - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()", " - driver core: Fix uevent_show() vs driver detach race", " - tracefs: Fix inode allocation", " - tracefs: Use generic inode RCU for synchronizing freeing", " - ntp: Safeguard against time_constant overflow", " - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()", " - serial: core: check uartclk for zero to avoid divide by zero", " - memcg: protect concurrent access to mem_cgroup_idr", " - parisc: fix unaligned accesses in BPF", " - parisc: fix a possible DMA corruption", " - ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx", " - kcov: properly check for softirq context", " - irqchip/xilinx: Fix shift out of bounds", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - LoongArch: Enable general EFI poweroff method", " - power: supply: qcom_battmgr: return EAGAIN when firmware service is not up", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - padata: Fix possible divide-by-0 panic in padata_mt_helper()", " - smb3: fix setting SecurityFlags when encryption is required", " - eventfs: Don't return NULL in eventfs_create_dir()", " - eventfs: Use SRCU for freeing eventfs_inodes", " - selftests: mm: add s390 to ARCH check", " - btrfs: avoid using fixed char array size for tree names", " - x86/paravirt: Fix incorrect virt spinlock setting on bare metal", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - sched/smt: Introduce sched_smt_present_inc/dec() helper", " - sched/smt: Fix unbalance sched_smt_present dec/inc", " - sched/core: Introduce sched_set_rq_on/offline() helper", " - sched/core: Fix unbalance set_rq_online/offline() in sched_cpu_deactivate()", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/dp_mst: Skip CSN if topology probing is not done yet", " - drm/lima: Mark simple_ondemand governor as softdep", " - drm/mgag200: Set DDC timeout in milliseconds", " - drm/mgag200: Bind I2C lifetime to DRM device", " - drm/radeon: Remove __counted_by from StateArray.states[]", " - mptcp: fully established after ADD_ADDR echo on MPJ", " - mptcp: pm: deny endp with signal + subflow + port", " - block: use the right type for stub rq_integrity_vec()", " - btrfs: fix corruption after buffer fault in during direct IO append write", " - tools headers arm64: Sync arm64's cputype.h with the kernel sources", " - mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio()", " - xfs: fix log recovery buffer allocation for the legacy h_size fixup", " - mptcp: pm: reduce indentation blocks", " - mptcp: pm: don't try to create sf if alloc failed", " - mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set", " - selftests: mptcp: join: ability to invert ADD_ADDR check", " - selftests: mptcp: join: test both signal & subflow", " - Revert \"selftests: mptcp: simult flows: mark 'unbalanced' tests as flaky\"", " - btrfs: fix double inode unlock for direct IO sync writes", " - perf/x86/intel/cstate: Switch to new Intel CPU model defines", " - perf/x86/intel/cstate: Add Arrowlake support", " - perf/x86/intel/cstate: Add Lunarlake support", " - perf/x86/intel/cstate: Add pkg C2 residency counter for Sierra Forest", " - platform/x86: intel-vbtn: Protect ACPI notify handler against recursion", " - perf/x86/amd: Use try_cmpxchg() in events/amd/{un,}core.c", " - perf/x86/intel: Support the PEBS event mask", " - perf/x86: Support counter mask", " - perf/x86: Fix smp_processor_id()-in-preemptible warnings", " - virtio-net: unbreak vq resizing when coalescing is not negotiated", " - net: dsa: microchip: Fix Wake-on-LAN check to not return an error", " - net: dsa: microchip: disable EEE for KSZ8567/KSZ9567/KSZ9896/KSZ9897.", " - regmap: kunit: Use a KUnit action to call regmap_exit()", " - regmap: kunit: Replace a kmalloc/kfree() pair with KUnit-managed alloc", " - regmap: kunit: Fix memory leaks in gen_regmap() and gen_raw_regmap()", " - debugobjects: Annotate racy debug variables", " - nvme: apple: fix device reference counting", " - cpufreq: amd-pstate: Allow users to write 'default' EPP string", " - cpufreq: amd-pstate: auto-load pstate driver by default", " - soc: qcom: icc-bwmon: Allow for interrupts to be shared across instances", " - ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MU", " - ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MJ", " - thermal: intel: hfi: Give HFI instances package scope", " - wifi: ath12k: fix race due to setting ATH12K_FLAG_EXT_IRQ_ENABLED too early", " - wifi: rtlwifi: handle return value of usb init TX/RX", " - wifi: rtw89: pci: fix RX tag race condition resulting in wrong RX length", " - wifi: mac80211: fix NULL dereference at band check in starting tx ba session", " - bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory", " accesses", " - mlxsw: pci: Lock configuration space of upstream bridge during reset", " - btrfs: do not BUG_ON() when freeing tree block after error", " - btrfs: reduce nesting for extent processing at btrfs_lookup_extent_info()", " - btrfs: fix data race when accessing the last_trans field of a root", " - drm/xe/preempt_fence: enlarge the fence critical section", " - drm/amd/display: Handle HPD_IRQ for internal link", " - drm/amd/amdkfd: Fix a resource leak in svm_range_validate_and_map()", " - drm/xe/xe_guc_submit: Fix exec queue stop race condition", " - drm/amd/display: Add null checks for 'stream' and 'plane' before", " dereferencing", " - drm/amd/display: Wake DMCUB before sending a command for replay feature", " - drm/amd/display: reduce ODM slice count to initial new dc state only when", " needed", " - of: Add cleanup.h based auto release via __free(device_node) markings", " - media: i2c: ov5647: replacing of_node_put with __free(device_node)", " - drm/amd/display: Fix null pointer deref in dcn20_resource.c", " - ext4: sanity check for NULL pointer after ext4_force_shutdown", " - mm, slub: do not call do_slab_free for kfence object", " - ASoC: cs35l56: Revert support for dual-ownership of ASP registers", " - drm/atomic: allow no-op FB_ID updates for async flips", " - drm/amd/display: Replace dm_execute_dmub_cmd with", " dc_wake_and_execute_dmub_cmd", " - drm/xe/rtp: Fix off-by-one when processing rules", " - drm/xe: Use dma_fence_chain_free in chain fence unused as a sync", " - drm/xe/hwmon: Fix PL1 disable flow in xe_hwmon_power_max_write", " - drm/xe: Move lrc snapshot capturing to xe_lrc.c", " - drm/xe: Minor cleanup in LRC handling", " - drm/test: fix the gem shmem test to map the sg table.", " - usb: typec: pd: no opencoding of FIELD_GET", " - usb: typec: fsa4480: Check if the chip is really there", " - PM: runtime: Simplify pm_runtime_get_if_active() usage", " - scsi: ufs: core: Fix deadlock during RTC update", " - serial: sc16is7xx: fix invalid FIFO access with special register set", " - tracing: Have format file honor EVENT_FILE_FL_FREED", " - mm: list_lru: fix UAF for memory cgroup", " - net/tcp: Disable TCP-AO static key after RCU grace period", " - Revert \"drm/amd/display: Handle HPD_IRQ for internal link\"", " - idpf: fix memleak in vport interrupt configuration", " - drm/amd/display: Add null check in resource_log_pipe_topology_update", " - Upstream stable to v6.6.46, v6.10.5", " * Noble update: upstream stable patchset 2024-10-02 (LP: #2083488)", " - sysctl: allow change system v ipc sysctls inside ipc namespace", " - sysctl: allow to change limits for posix messages queues", " - sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table)", " - ext4: factor out a common helper to query extent map", " - ext4: check the extent status again before inserting delalloc block", " - leds: trigger: Store brightness set by led_trigger_event()", " - leds: trigger: Call synchronize_rcu() before calling trig->activate()", " - KVM: VMX: Move posted interrupt descriptor out of VMX code", " - fbdev/vesafb: Replace references to global screen_info by local pointer", " - video: Add helpers for decoding screen_info", " - [Config] Update CONFIG_SCREEN_INFO", " - video: Provide screen_info_get_pci_dev() to find screen_info's PCI device", " - firmware/sysfb: Update screen_info for relocated EFI framebuffers", " - mm: page_alloc: control latency caused by zone PCP draining", " - mm/page_alloc: fix pcp->count race between drain_pages_zone() vs", " __rmqueue_pcplist()", " - f2fs: fix to avoid use SSR allocate when do defragment", " - f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid", " - dmaengine: fsl-edma: add address for channel mux register in fsl_edma_chan", " - dmaengine: fsl-edma: add i.MX8ULP edma support", " - perf: imx_perf: fix counter start and config sequence", " - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a", " - MIPS: dts: loongson: Fix liointc IRQ polarity", " - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt", " - ARM: 9406/1: Fix callchain_trace() return value", " - HID: amd_sfh: Move sensor discovery before HID device initialization", " - perf tool: fix dereferencing NULL al->maps", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - drm/vmwgfx: Trigger a modeset when the screen moves", " - sched: act_ct: take care of padding in struct zones_ht_key", " - wifi: cfg80211: fix reporting failed MLO links status with", " cfg80211_connect_done", " - net: phy: realtek: add support for RTL8366S Gigabit PHY", " - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode", " - Bluetooth: btintel: Fail setup on error", " - Bluetooth: hci_sync: Fix suspending with wrong filter policy", " - tcp: annotate data-races around tp->window_clamp", " - tcp: Adjust clamping window for applications specifying SO_RCVBUF", " - net: axienet: start napi before enabling Rx/Tx", " - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in", " rtnl_dellink().", " - i915/perf: Remove code to update PWR_CLK_STATE for gen12", " - ice: respect netif readiness in AF_XDP ZC related ndo's", " - ice: don't busy wait for Rx queue disable in ice_qp_dis()", " - ice: replace synchronize_rcu with synchronize_net", " - ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog", " - drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro", " - net: mvpp2: Don't re-use loop iterator", " - net: phy: micrel: Fix the KSZ9131 MDI-X status issue", " - ALSA: hda: Conditionally use snooping for AMD HDMI", " - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().", " - netfilter: iptables: Fix potential null-ptr-deref in", " ip6table_nat_table_init().", " - net/mlx5: Always drain health in shutdown callback", " - net/mlx5: Fix error handling in irq_pool_request_irq", " - net/mlx5: Lag, don't use the hardcoded value of the first port", " - net/mlx5: Fix missing lock on sync reset reload", " - net/mlx5e: Require mlx5 tc classifier action support for IPsec prio", " capability", " - net/mlx5e: Fix CT entry update leaks of modify header context", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - igc: Fix double reset adapter triggered from a single taprio cmd", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - perf: riscv: Fix selecting counters in legacy mode", " - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()", " - riscv: Fix linear mapping checks for non-contiguous memory regions", " - arm64: jump_label: Ensure patched jump_labels are visible to all CPUs", " - rust: SHADOW_CALL_STACK is incompatible with Rust", " - platform/chrome: cros_ec_proto: Lock device when updating MKBP version", " - HID: wacom: Modify pen IDs", " - btrfs: zoned: fix zone_unusable accounting on making block group read-write", " again", " - btrfs: do not subtract delalloc from avail bytes", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - mptcp: sched: check both directions for backup", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G", " - ALSA: seq: ump: Optimize conversions from SysEx to UMP", " - Revert \"ALSA: firewire-lib: obsolete workqueue for period update\"", " - Revert \"ALSA: firewire-lib: operate for period elapse event in process", " context\"", " - drm/vmwgfx: Fix a deadlock in dma buf fence polling", " - drm/virtio: Fix type of dma-fence context variable", " - drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll()", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY", " - mptcp: fix user-space PM announced address accounting", " - mptcp: distinguish rcv vs sent backup flag in requests", " - mptcp: fix NL PM announced address accounting", " - mptcp: mib: count MPJ with backup flag", " - mptcp: fix bad RCVPRUNED mib accounting", " - mptcp: pm: only set request_bkup flag when sending MP_PRIO", " - mptcp: fix duplicate data handling", " - selftests: mptcp: always close input's FD if opened", " - selftests: mptcp: join: validate backup in MPJ", " - selftests: mptcp: join: check backup support in signal endp", " - mm/huge_memory: mark racy access onhuge_anon_orders_always", " - mm: fix khugepaged activation policy", " - x86/cpu/vfm: Add/initialize x86_vfm field to struct cpuinfo_x86", " - perf/x86/intel: Switch to new Intel CPU model defines", " - perf/x86/intel: Add a distinct name for Granite Rapids", " - drm/gpuvm: fix missing dependency to DRM_EXEC", " - netlink: specs: correct the spec of ethtool", " - ethtool: rss: echo the context number back", " - wifi: cfg80211: correct S1G beacon length calculation", " - ethtool: fix setting key and resetting indir at once", " - ice: modify error handling when setting XSK pool in ndo_bpf", " - ice: toggle netif_carrier when setting up XSK pool", " - ice: improve updating ice_{t,r}x_ring::xsk_pool", " - ice: xsk: fix txq interrupt mapping", " - drm/atomic: Allow userspace to use explicit sync with atomic async flips", " - drm/atomic: Allow userspace to use damage clips with async flips", " - riscv/purgatory: align riscv_kernel_entry", " - perf arch events: Fix duplicate RISC-V SBI firmware event name", " - RISC-V: Enable the IPI before workqueue_online_cpu()", " - ceph: force sending a cap update msg back to MDS for revoke op", " - drm/vmwgfx: Remove unused code", " - drm/vmwgfx: Fix handling of dumb buffers", " - drm/v3d: Prevent out of bounds access in performance query extensions", " - drm/v3d: Fix potential memory leak in the timestamp extension", " - drm/v3d: Fix potential memory leak in the performance extension", " - drm/v3d: Validate passed in drm syncobj handles in the timestamp extension", " - drm/v3d: Validate passed in drm syncobj handles in the performance extension", " - nouveau: set placement to original placement on uvmm validate.", " - wifi: ath12k: fix soft lockup on suspend", " - mptcp: pm: fix backup support in signal endpoints", " - selftests: mptcp: fix error path", " - Upstream stable to v6.6.45, v6.10.4", " * [SRU] Fix AST DP output after resume (LP: #2083022) // Noble update:", " upstream stable patchset 2024-10-02 (LP: #2083488)", " - drm/ast: astdp: Wake up during connector status detection", " - drm/ast: Fix black screen after resume", " * [SRU]Fail to locate the LED of NVME disk behind Intel VMD (LP: #2077287) //", " Noble update: upstream stable patchset 2024-10-02 (LP: #2083488)", " - PCI: pciehp: Retain Power Indicator bits for userspace indicators", " * Noble update: upstream stable patchset 2024-09-30 (LP: #2083196)", " - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC", " - spi: spi-microchip-core: Fix the number of chip selects supported", " - spi: atmel-quadspi: Add missing check for clk_prepare", " - EDAC, i10nm: make skx_common.o a separate module", " - rcu/tasks: Fix stale task snaphot for Tasks Trace", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - ubd: refactor the interrupt handler", " - ubd: untagle discard vs write zeroes not support handling", " - block: initialize integrity buffer to zero before writing it to media", " - x86/kconfig: Add as-instr64 macro to properly evaluate AS_WRUSS", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - block: Call .limit_depth() after .hctx has been set", " - block/mq-deadline: Fix the tag reservation code", " - md: Don't wait for MD_RECOVERY_NEEDED for HOT_REMOVE_DISK ioctl", " - pwm: stm32: Always do lazy disabling", " - nvmet-auth: fix nvmet_auth hash error handling", " - drm/meson: fix canvas release in bind function", " - pwm: atmel-tcb: Fix race condition and convert to guards", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sc8180x: Correct PCIe slave ports", " - arm64: dts: qcom: sc8180x: add power-domain to UFS PHY", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: sm6115: add power-domain to UFS PHY", " - arm64: dts: qcom: sm6350: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8250: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8350: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8450: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996-xiaomi-common: drop excton from the USB PHY", " - arm64: dts: qcom: sdm850-lenovo-yoga-c630: fix IPA firmware path", " - arm64: dts: qcom: msm8998: enable adreno_smmu by default", " - soc: qcom: pmic_glink: Handle the return value of pmic_glink_init", " - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data()", " callers", " - arm64: dts: rockchip: Add sdmmc related properties on rk3308-rock-pi-s", " - arm64: dts: rockchip: Add pinctrl for UART0 to rk3308-rock-pi-s", " - arm64: dts: rockchip: Add mdio and ethernet-phy nodes to rk3308-rock-pi-s", " - arm64: dts: rockchip: Update WIFi/BT related nodes on rk3308-rock-pi-s", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: qcom: sa8775p: mark ethernet devices as DMA-coherent", " - soc: xilinx: rename cpu_number1 to dummy_cpu_number", " - ARM: dts: sunxi: remove duplicated entries in makefile", " - ARM: dts: stm32: Add arm,no-tick-in-suspend to STM32MP15xx STGEN timer", " - arm64: dts: qcom: qrb4210-rb2: make L9A always-on", " - cpufreq: ti-cpufreq: Handle deferred probe with dev_err_probe()", " - OPP: ti: Fix ti_opp_supply_probe wrong return values", " - memory: fsl_ifc: Make FSL_IFC config visible and selectable", " - arm64: dts: ti: k3-am62x: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am625-beagleplay: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62-verdin: Drop McASP AFIFOs", " - arm64: dts: qcom: qdu1000: Add secure qfprom node", " - soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove", " - soc: qcom: pdr: protect locator_addr with the main mutex", " - soc: qcom: pdr: fix parsing of domains lists", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - arm64: dts: amlogic: sm1: fix spdif compatibles", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt8195: Fix GPU thermal zone name for SVS", " - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property", " - arm64: dts: mediatek: mt8192-asurada: Add off-on-delay-us for", " pp3300_mipibrdg", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: mediatek: mt8183-kukui: Fix the value of `dlg,jack-det-rate`", " mismatch", " - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - arm64: dts: amlogic: add power domain to hdmitx", " - arm64: dts: amlogic: setup hdmi system clock", " - arm64: dts: rockchip: Drop invalid mic-in-differential on rk3568-rock-3a", " - arm64: dts: rockchip: Fix mic-in-differential usage on rk3566-roc-pc", " - arm64: dts: rockchip: Fix mic-in-differential usage on rk3568-evb1-v10", " - arm64: dts: renesas: r8a779a0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r8a779f0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r8a779g0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g043u: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g044: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g054: Add missing hypervisor virtual timer IRQ", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - arm64: dts: imx8mp: Fix pgc_mlmix location", " - arm64: dts: imx8mp: add HDMI power-domains", " - arm64: dts: imx8mp: Fix pgc vpu locations", " - x86/xen: Convert comma to semicolon", " - arm64: dts: rockchip: Add missing power-domains for rk356x vop_mmu", " - arm64: dts: rockchip: fix regulator name for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fix usb regulator for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fix pmu_io supply for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: remove unused usb2 nodes for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: disable display subsystem for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fixes PHY reset for Lunzn Fastrhino R68S", " - arm64: dts: qcom: sm6350: Add missing qcom,non-secure-domain property", " - cpufreq/amd-pstate: Fix the scaling_max_freq setting on shared memory CPPC", " systems", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - ARM: spitz: fix GPIO assignment for backlight", " - vmlinux.lds.h: catch .bss..L* sections into BSS\")", " - firmware: turris-mox-rwtm: Do not complete if there are no waiters", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - wifi: ath12k: Correct 6 GHz frequency value in rx status", " - wifi: ath12k: Fix tx completion ring (WBM2SW) setup failure", " - bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer", " - selftests/bpf: Fix prog numbers in test_sockmap", " - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP", " - wifi: ath12k: change DMA direction while mapping reinjected packets", " - wifi: ath12k: fix invalid memory access while processing fragmented packets", " - wifi: ath12k: fix firmware crash during reo reinject", " - wifi: ath11k: fix wrong definition of CE ring's base address", " - wifi: ath12k: fix wrong definition of CE ring's base address", " - tcp: add tcp_done_with_error() helper", " - tcp: fix race in tcp_write_err()", " - tcp: fix races in tcp_v[46]_err()", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - udf: Fix lock ordering in udf_evict_inode()", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors", " - perf/x86: Serialize set_attr_rdpmc()", " - jump_label: Fix concurrency issues in static_key_slow_dec()", " - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - udf: Fix bogus checksum computation in udf_rename()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - libbpf: Checking the btf_type kind when fixing variable offsets", " - xfrm: Fix unregister netdevice hang on hardware offload.", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - wifi: rtw89: 8852b: fix definition of KIP register number", " - wifi: rtl8xxxu: 8188f: Limit TX power index", " - xfrm: Export symbol xfrm_dev_state_delete.", " - bpftool: Mount bpffs when pinmaps path not under the bpffs", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - perf: Fix default aux_watermark calculation", " - perf/x86/intel/cstate: Fix Alderlake/Raptorlake/Meteorlake", " - wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()", " - xfrm: fix netdev reference count imbalance", " - xfrm: call xfrm_dev_policy_delete when kill policy", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - locking/rwsem: Add __always_inline annotation to __down_write_common() and", " inlined callers", " - selftests/bpf: Close fd in error path in drop_on_reuseport", " - selftests/bpf: Null checks for links in bpf_tcp_ca", " - selftests/bpf: Close obj in error path in xdp_adjust_tail", " - selftests/resctrl: Convert perror() to ksft_perror() or ksft_print_msg()", " - selftests/resctrl: Fix closing IMC fds on error and open-code R+W instead of", " loops", " - bpf: annotate BTF show functions with __printf", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - bpf: Eliminate remaining \"make W=1\" warnings in kernel/bpf/btf.o", " - bpf: Fix null pointer dereference in resolve_prog_type() for", " BPF_PROG_TYPE_EXT", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - Bluetooth: hci_bcm4377: Use correct unit for timeouts", " - Bluetooth: btintel: Refactor btintel_set_ppag()", " - Bluetooth: btnxpuart: Add handling for boot-signature timeout errors", " - xdp: fix invalid wait context of page_pool_destroy()", " - net: bridge: mst: Check vlan state for egress decision", " - drm/rockchip: vop2: Fix the port mux of VP2", " - drm/arm/komeda: Fix komeda probe failing if there are no links in the", " secondary pipeline", " - drm/amdkfd: Fix CU Masking for GFX 9.4.3", " - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_dcs_write_seq()", " - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_generic_write_seq()", " - drm/amd/pm: Fix aldebaran pcie speed reporting", " - drm/amdgpu: Fix memory range calculation", " - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit", " - drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1", " - drm/panel: himax-hx8394: Handle errors from mipi_dsi_dcs_set_display_on()", " better", " - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before", " regulators", " - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()", " - drm/bridge: Fixed a DP link training bug", " - drm/bridge: it6505: fix hibernate to resume no display issue", " - media: pci: ivtv: Add check for DMA map result", " - media: imon: Fix race getting ictx->lock", " - media: i2c: Fix imx412 exposure control", " - media: v4l: async: Fix NULL pointer dereference in adding ancillary links", " - s390/mm: Convert make_page_secure to use a folio", " - s390/mm: Convert gmap_make_secure to use a folio", " - s390/uv: Don't call folio_wait_writeback() without a folio reference", " - media: mediatek: vcodec: Handle invalid decoder vsi", " - x86/shstk: Make return uprobe work with shadow stack", " - ipmi: ssif_bmc: prevent integer overflow on 32bit systems", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: i2c: imx219: fix msr access command sequence", " - media: uvcvideo: Disable autosuspend for Insta360 Link", " - media: uvcvideo: Quirk for invalid dev_sof in Logitech C922", " - media: uvcvideo: Add quirk for invalid dev_sof in Logitech C920", " - media: uvcvideo: Override default flags", " - drm: zynqmp_dpsub: Fix an error handling path in zynqmp_dpsub_probe()", " - drm: zynqmp_kms: Fix AUX bus not getting unregistered", " - media: rcar-vin: Fix YUYV8_1X16 handling for CSI-2", " - media: rcar-csi2: Disable runtime_pm in probe error", " - media: rcar-csi2: Cleanup subdevice in remove()", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - drm/mediatek: Add missing plane settings when async update", " - drm/mediatek: Use 8-bit alpha in ETHDR", " - drm/mediatek: Fix XRGB setting error in OVL", " - drm/mediatek: Fix XRGB setting error in Mixer", " - drm/mediatek: Fix destination alpha error in OVL", " - drm/mediatek: Turn off the layers with zero width or height", " - drm/mediatek: Add OVL compatible name for MT8195", " - media: imx-jpeg: Drop initial source change event if capture has been setup", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - drm/msm/dsi: set VIDEO_COMPRESSION_MODE_CTRL_WC", " - drm/msm/dpu: drop validity checks for clear_pending_flush() ctl op", " - perf test: Make test_arm_callgraph_fp.sh more robust", " - perf pmus: Fixes always false when compare duplicates aliases", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - Revert \"leds: led-core: Fix refcount leak in of_led_get()\"", " - drm/mediatek: Remove less-than-zero comparison of an unsigned value", " - ext4: fix infinite loop when replaying fast_commit", " - drm/mediatek/dp: switch to ->edid_read callback", " - drm/mediatek/dp: Fix spurious kfree()", " - media: venus: flush all buffers in output plane streamoff", " - perf intel-pt: Fix aux_watermark calculation for 64-bit size", " - perf intel-pt: Fix exclude_guest setting", " - mfd: rsmu: Split core code into separate module", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - xprtrdma: Fix rpcrdma_reqs_reset()", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server", " - ext4: don't track ranges in fast_commit if inode has inlined data", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - leds: flash: leds-qcom-flash: Test the correct variable in init", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - iio: Fix the sorting functionality in iio_gts_build_avail_time_table", " - PCI: Fix resource double counting on remove & rescan", " - PCI: keystone: Relocate ks_pcie_set/clear_dbi_mode()", " - PCI: keystone: Don't enable BAR 0 for AM654x", " - PCI: keystone: Fix NULL pointer dereference in case of DT error in", " ks_pcie_setup_rc_app_regs()", " - PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()", " - scsi: ufs: mcq: Fix missing argument 'hba' in MCQ_OPR_OFFSET_n", " - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock", " - clk: qcom: camcc-sc7280: Add parent dependency to all camera GDSCs", " - iio: frequency: adrf6780: rm clk provider include", " - coresight: Fix ref leak when of_coresight_parse_endpoint() fails", " - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE", " - ASoc: tas2781: Enable RCA-based playback without DSP firmware download", " - ASoC: cs35l56: Accept values greater than 0 as IRQ numbers", " - usb: typec-mux: nb7vpq904m: unregister typec switch on probe error and", " remove", " - RDMA/cache: Release GID table even if leak is detected", " - clk: qcom: gpucc-sm8350: Park RCG's clk source at XO during disable", " - clk: qcom: gcc-sa8775p: Update the GDSC wait_val fields and flags", " - clk: qcom: gpucc-sa8775p: Remove the CLK_IS_CRITICAL and ALWAYS_ON flags", " - clk: qcom: gpucc-sa8775p: Park RCG's clk source at XO during disable", " - clk: qcom: gpucc-sa8775p: Update wait_val fields for GPU GDSC's", " - interconnect: qcom: qcm2290: Fix mas_snoc_bimc RPM master ID", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/mlx5: Use sq timestamp as QP timestamp when RoCE is disabled", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: qcom: Adjust issues in case of DT error in", " asoc_qcom_lpass_cpu_platform_probe()", " - scsi: lpfc: Fix a possible null pointer dereference", " - hwrng: core - Fix wrong quality calculation at hw rng registration", " - powerpc/prom: Add CPU info to hardware description string later", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - ASoC: amd: Adjust error handling in case of absent codec device", " - PCI: endpoint: Clean up error handling in vpci_scan_bus()", " - PCI: endpoint: Fix error handling in epf_ntb_epc_cleanup()", " - vhost/vsock: always initialize seqpacket_allow", " - net: missing check virtio", " - nvmem: rockchip-otp: set add_legacy_fixed_of_cells config option", " - crypto: qat - extend scope of lock in adf_cfg_add_key_value_param()", " - clk: qcom: kpss-xcc: Return of_clk_add_hw_provider to transfer the error", " - clk: qcom: Park shared RCGs upon registration", " - clk: en7523: fix rate divider for slic and spi clocks", " - MIPS: Octeron: remove source file executable bit", " - PCI: qcom-ep: Disable resources unconditionally during PERST# assert", " - PCI: dwc: Fix index 0 incorrectly being interpreted as a free ATU slot", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - RDMA/hns: Check atomic wr length", " - RDMA/hns: Fix unmatch exception handling when init eq table fails", " - RDMA/hns: Fix missing pagesize and alignment check in FRMR", " - RDMA/hns: Fix shift-out-bounds when max_inline_data is 0", " - RDMA/hns: Fix undifined behavior caused by invalid max_sge", " - RDMA/hns: Fix insufficient extend DB for VFs.", " - iommu/vt-d: Fix identity map bounds in si_domain_init()", " - RDMA/core: Remove NULL check before dev_{put, hold}", " - RDMA: Fix netdev tracker in ib_device_set_netdev", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - netfilter: nf_set_pipapo: fix initial map fill", " - ipvs: properly dereference pe in ip_vs_add_service", " - gve: Fix XDP TX completion handling when counters overflow", " - net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE", " - ipv4: Fix incorrect TOS in route get reply", " - ipv4: Fix incorrect TOS in fibmatch route get reply", " - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports", " - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports", " - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT", " - fs/ntfs3: Fix transform resident to nonresident for compressed files", " - fs/ntfs3: Deny getting attr data block in compressed frame", " - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting", " - fs/ntfs3: Fix getting file type", " - fs/ntfs3: Add missing .dirty_folio in address_space_operations", " - pinctrl: rockchip: update rk3308 iomux routes", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/ntfs3: Replace inode_trylock with inode_lock", " - fs/ntfs3: Correct undo if ntfs_create_inode failed", " - fs/ntfs3: Drop stray '\\' (backslash) in formatting string", " - fs/ntfs3: Fix field-spanning write in INDEX_HDR", " - pinctrl: renesas: r8a779g0: Fix CANFD5 suffix", " - pinctrl: renesas: r8a779g0: Fix FXR_TXEN[AB] suffixes", " - pinctrl: renesas: r8a779g0: Fix (H)SCIF1 suffixes", " - pinctrl: renesas: r8a779g0: Fix (H)SCIF3 suffixes", " - pinctrl: renesas: r8a779g0: Fix IRQ suffixes", " - pinctrl: renesas: r8a779g0: FIX PWM suffixes", " - pinctrl: renesas: r8a779g0: Fix TCLK suffixes", " - pinctrl: renesas: r8a779g0: Fix TPU suffixes", " - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP", " - fs/proc/task_mmu.c: add_to_pagemap: remove useless parameter addr", " - fs/proc/task_mmu: don't indicate PM_MMAP_EXCLUSIVE without PM_PRESENT", " - fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped", " THPs", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - fs/ntfs3: Fix the format of the \"nocase\" mount option", " - fs/ntfs3: Missed error return", " - fs/ntfs3: Keep runs for $MFT::$ATTR_DATA and $MFT::$ATTR_BITMAP", " - powerpc/8xx: fix size given to set_huge_pte_at()", " - s390/dasd: fix error checks in dasd_copy_pair_store()", " - sbitmap: use READ_ONCE to access map->word", " - sbitmap: fix io hung due to race on sbitmap_word::cleared", " - LoongArch: Check TIF_LOAD_WATCH to enable user space watchpoint", " - landlock: Don't lose track of restrictions on cred_transfer", " - hugetlb: force allocating surplus hugepages on mempolicy allowed nodes", " - mm/hugetlb: fix possible recursive locking detected warning", " - mm/mglru: fix div-by-zero in vmpressure_calc_level()", " - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer", " - mm/mglru: fix overshooting shrinker memory", " - x86/efistub: Avoid returning EFI_SUCCESS on error", " - x86/efistub: Revert to heap allocated boot_params for PE entrypoint", " - exfat: fix potential deadlock on __exfat_get_dentry_set", " - dt-bindings: thermal: correct thermal zone node name limit", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - btrfs: fix extent map use-after-free when adding pages to compressed bio", " - kernel: rerun task_work while freezing in get_signal()", " - ipv4: fix source address selection with route leak", " - ipv6: take care of scope when choosing the src addr", " - NFSD: Support write delegations in LAYOUTGET", " - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE", " tasks", " - fuse: verify {g,u}id mount options correctly", " - ata: libata-scsi: Fix offsets for the fixed format sense data", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - ata: libata-scsi: Do not overwrite valid sense data when CK_COND=1", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - ext2: Verify bitmap and itable block numbers before using them", " - io_uring/io-wq: limit retrying worker initialisation", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - scsi: qla2xxx: Fix optrom version displayed in FDMI", " - drm/amd/display: Check for NULL pointer", " - apparmor: use kvfree_sensitive to free data->data", " - cifs: fix potential null pointer use in destroy_workqueue in init_cifs error", " path", " - cifs: fix reconnect with SMB1 UNIX Extensions", " - cifs: mount with \"unix\" mount option for SMB1 incorrectly handled", " - task_work: s/task_work_cancel()/task_work_cancel_func()/", " - task_work: Introduce task_work_cancel() again", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - io_uring: tighten task exit cancellations", " - trace/pid_list: Change gfp flags in pid_list_fill_irq()", " - selftests/landlock: Add cred_transfer test", " - wifi: mwifiex: Fix interface type change", " - wifi: rtw88: usb: Fix disconnection after beacon loss", " - drivers: soc: xilinx: check return status of get_api_version()", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - leds: mt6360: Fix memory leak in mt6360_init_isnk_properties()", " - media: imx-pxp: Fix ERR_PTR dereference in pxp_probe()", " - jbd2: make jbd2_journal_get_max_txn_bufs() internal", " - jbd2: precompute number of transaction descriptor blocks", " - jbd2: avoid infinite transaction commit loop", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()", " - KVM: nVMX: Request immediate exit iff pending nested event needs injection", " - ALSA: ump: Don't update FB name for static blocks", " - ALSA: ump: Force 1 Group for MIDI1 FBs", " - ALSA: usb-audio: Fix microphone sound on HD webcam.", " - ALSA: usb-audio: Move HD Webcam quirk to the right place", " - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - parisc: Fix warning at drivers/pci/msi/msi.h:121", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - PCI: dw-rockchip: Fix initial PERST# GPIO value", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - PCI: loongson: Enable MSI in LS7A Root Complex", " - binder: fix hang of unregistered readers", " - hostfs: fix dev_t handling", " - efi/libstub: Zero initialize heap allocated struct screen_info", " - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value", " - f2fs: fix to force buffered IO on inline_data inode", " - f2fs: fix to don't dirty inode for readonly filesystem", " - f2fs: fix return value of f2fs_convert_inline_inode()", " - f2fs: use meta inode for GC of atomic file", " - f2fs: use meta inode for GC of COW file", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - block: fix deadlock between sd_remove & sd_release", " - mm: fix old/young bit handling in the faulting path", " - decompress_bunzip2: fix rare decompression failure", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - ASoC: SOF: ipc4-topology: Preserve the DMA Link ID for ChainDMA on unprepare", " - ASoC: amd: yc: Support mic on Lenovo Thinkpad E16 Gen 2", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - gve: Fix an edge case for TSO skb validity check", " - ice: Add a per-VF limit on number of FDIR filters", " - devres: Fix devm_krealloc() wasting memory", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - irqdomain: Fixed unbalanced fwnode get and put", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - mm/numa_balancing: teach mpol_to_str about the balancing mode", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: lpfc: Allow DEVICE_RECOVERY mode after RSCN receipt if in PRLI_ISSUE", " state", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Unable to act on RSCN for port online", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Use QP lock to search for bsg", " - scsi: qla2xxx: Reduce fabric scan duplicate code", " - scsi: qla2xxx: Fix flash read failure", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf: Fix event leak upon exit", " - perf: Fix event leak upon exec and file release", " - perf stat: Fix the hard-coded metrics calculation on the hybrid", " - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR", " - perf/x86/intel/ds: Fix non 0 retire latency on Raptorlake", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8", " - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell", " - drm/udl: Remove DRM_CONNECTOR_POLL_HPD", " - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume", " - drm/amdgpu: reset vm state machine after gpu reset(vram lost)", " - drm/amd/amdgpu: Fix uninitialized variable warnings", " - drm/i915/dp: Reset intel_dp->link_trained before retraining the link", " - drm/i915/dp: Don't switch the LTTPR mode on an active link", " - rtc: isl1208: Fix return value of nvmem callbacks", " - rtc: abx80x: Fix return value of nvmem callback on read", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - dm-verity: fix dm_is_verity_target() when dm-verity is builtin", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - remoteproc: stm32_rproc: Fix mailbox interrupts queuing", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init", " - MIPS: dts: loongson: Add ISA node", " - MIPS: ip30: ip30-console: Add missing include", " - MIPS: dts: loongson: Fix GMAC phy node", " - MIPS: Loongson64: env: Hook up Loongsson-2K", " - MIPS: Loongson64: Remove memory node for builtin-dtb", " - MIPS: Loongson64: reset: Prioritise firmware service", " - MIPS: Loongson64: Test register availability before use", " - drm/etnaviv: don't block scheduler when GPU is still active", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - lib/build_OID_registry: don't mention the full path of the script in output", " - video: logo: Drop full path of the input filename in generated file", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - minmax: scsi: fix mis-use of 'clamp()' in sr.c", " - mm/mglru: fix ineffective protection calculation", " - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal", " - f2fs: fix to truncate preallocated blocks in f2fs_file_open()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels", " - phy: cadence-torrent: Check return value on register read", " - phy: zynqmp: Enable reference clock correctly", " - um: time-travel: fix time-travel-start option", " - um: time-travel: fix signal blocking race/hang", " - f2fs: fix start segno of large section", " - watchdog: rzg2l_wdt: Use pm_runtime_resume_and_get()", " - watchdog: rzg2l_wdt: Check return status of pm_runtime_put()", " - f2fs: fix to update user block counts in block_operations()", " - kbuild: avoid build error when single DTB is turned into composite DTB", " - selftests/bpf: fexit_sleep: Fix stack allocation for arm64", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash", " - dma: fix call order in dmam_free_coherent", " - bpf, events: Use prog to emit ksymbol event for main program", " - tools/resolve_btfids: Fix comparison of distinct pointer types warning in", " resolve_btfids", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - ice: Fix recipe read procedure", " - netfilter: nft_set_pipapo_avx2: disable softinterrupts", " - net: stmmac: Correct byte order of perfect_match", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - apparmor: Fix null pointer deref when receiving skb during sock creation", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - lirc: rc_dev_get_from_fd(): fix file leak", " - auxdisplay: ht16k33: Drop reference after LED registration", " - ASoC: SOF: imx8m: Fix DSP control regmap retrieval", " - spi: microchip-core: fix the issues in the isr", " - spi: microchip-core: defer asserting chip select until just before write to", " TX FIFO", " - spi: microchip-core: only disable SPI controller when register value change", " requires it", " - spi: microchip-core: fix init function not setting the master and motorola", " modes", " - spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer", " - nvme-pci: Fix the instructions for disabling power management", " - ASoC: sof: amd: fix for firmware reload failure in Vangogh platform", " - spi: spidev: add correct compatible for Rohm BH2228FV", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - ASoC: TAS2781: Fix tasdev_load_calibrated_data()", " - ceph: fix incorrect kmalloc size of pagevec mempool", " - s390/pci: Refactor arch_setup_msi_irqs()", " - s390/pci: Allow allocation of more than 1 MSI interrupt", " - s390/cpum_cf: Fix endless loop in CF_DIAG event stop", " - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en", " - io_uring: fix io_match_task must_hold", " - nvme-pci: add missing condition check for existence of mapped data", " - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT", " - md/raid0: don't free conf on raid0_run failure", " - md/raid1: don't free conf on raid0_run failure", " - io_uring: Fix probe of disabled operations", " - cgroup/cpuset: Optimize isolated partition only generate_sched_domains()", " calls", " - cgroup/cpuset: Fix remote root partition creation problem", " - x86/syscall: Mark exit[_group] syscall handlers __noreturn", " - perf: arm_pmuv3: Avoid assigning fixed cycle counter with threshold", " - md/raid5: recheck if reshape has finished with device_lock held", " - hwmon: (ltc2991) re-order conditions to fix off by one bug", " - arm64: smp: Fix missing IPI statistics", " - arm64: dts: qcom: sc7280: Remove CTS/RTS configuration", " - ARM: dts: qcom: msm8226-microsoft-common: Enable smbb explicitly", " - OPP: Fix missing cleanup on error in _opp_attach_genpd()", " - arm64: dts: qcom: sc8280xp-*: Remove thermal zone polling delays", " - arm64: dts: ti: k3-am62-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62a-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62p-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62a7: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62p5: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62p5-sk: Fix pinmux for McASP1 TX", " - arm64: dts: qcom: sc7180-trogdor: Disable pwmleds node where unused", " - arm64: dts: mediatek: mt8192: Fix GPU thermal zone name for SVS", " - arm64: dts: mediatek: mt8183-pico6: Fix wake-on-X event node names", " - arm64: dts: renesas: r9a08g045: Add missing hypervisor virtual timer IRQ", " - cpufreq/amd-pstate-ut: Convert nominal_freq to khz during comparisons", " - wifi: mac80211: cancel multi-link reconf work on disconnect", " - wifi: ath11k: refactor setting country code logic", " - wifi: ath11k: restore country code during resume", " - net: ethernet: cortina: Restore TSO support", " - tcp: fix races in tcp_abort()", " - hns3: avoid linking objects into multiple modules", " - sched/core: Move preempt_model_*() helpers from sched.h to preempt.h", " - sched/core: Drop spinlocks on contention iff kernel is preemptible", " - net: dsa: ksz_common: Allow only up to two HSR HW offloaded ports for", " KSZ9477", " - libbpf: Skip base btf sanity checks", " - wifi: mac80211: add ieee80211_tdls_sta_link_id()", " - wifi: iwlwifi: fix iwl_mvm_get_valid_rx_ant()", " - wifi: ath12k: advertise driver capabilities for MBSSID and EMA", " - riscv, bpf: Fix out-of-bounds issue when preparing trampoline image", " - perf/x86/amd/uncore: Avoid PMU registration if counters are unavailable", " - perf/x86/amd/uncore: Fix DF and UMC domain identification", " - NFSD: Fix nfsdcld warning", " - net: page_pool: fix warning code", " - bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG", " - Bluetooth: hci_event: Set QoS encryption from BIGInfo report", " - Bluetooth: hci_core, hci_sync: cleanup struct discovery_state", " - Bluetooth: Fix usage of __hci_cmd_sync_status", " - tcp: Don't access uninit tcp_rsk(req)->ao_keyid in", " tcp_create_openreq_child().", " - drm/panel: ilitek-ili9882t: If prepare fails, disable GPIO before regulators", " - drm/panel: ilitek-ili9882t: Check for errors on the NOP in prepare()", " - drm/amd/display: Move 'struct scaler_data' off stack", " - media: i2c: hi846: Fix V4L2_SUBDEV_FORMAT_TRY get_selection()", " - drm/msm/dpu: fix encoder irq wait skip", " - drm/msm/dpu: drop duplicate drm formats from wb2_formats arrays", " - drm/msm/dp: fix runtime_pm handling in dp_wait_hpd_asserted", " - perf maps: Switch from rbtree to lazily sorted array for addresses", " - perf maps: Fix use after free in __maps__fixup_overlap_and_insert", " - drm/bridge: samsung-dsim: Set P divider based on min/max of fin pll", " - drm/i915/psr: Print Panel Replay status instead of frame lock status", " - drm/mediatek: Set DRM mode configs accordingly", " - drm/msm/dsi: set video mode widebus enable bit when widebus is enabled", " - tools/perf: Fix the string match for \"/tmp/perf-$PID.map\" files in dso__load", " - drm/amd/display: Add null check before access structs", " - nfs: pass explicit offset/count to trace events", " - PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in", " pci_epf_test_core_init()", " - PCI: tegra194: Set EP alignment restriction for inbound ATU", " - riscv: smp: fail booting up smp if inconsistent vlen is detected", " - clk: meson: s4: fix fixed_pll_dco clock", " - clk: meson: s4: fix pwm_j_div parent clock", " - usb: typec-mux: ptn36502: unregister typec switch on probe error and remove", " - mtd: spi-nor: winbond: fix w25q128 regression", " - iommufd/selftest: Fix dirty bitmap tests with u8 bitmaps", " - iommufd/selftest: Fix iommufd_test_dirty() to handle ", "date": "Tue, 26 Nov 2024 13:53:36 +0100" } ], "notes": "linux-modules-6.8.0-51-generic version '6.8.0-51.52.1' (source package linux-riscv version '6.8.0-51.52.1') was added. linux-modules-6.8.0-51-generic version '6.8.0-51.52.1' has the same source package name, linux-riscv, as removed package linux-headers-6.8.0-49-generic. As such we can use the source package version of the removed package, '6.8.0-49.49.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-riscv-headers-6.8.0-51", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-49.49.1", "version": null }, "to_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-51.52.1", "version": "6.8.0-51.52.1" }, "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-49967", "url": "https://ubuntu.com/security/CVE-2024-49967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: no need to continue when the number of entries is 1", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" }, { "cve": "CVE-2024-46823", "url": "https://ubuntu.com/security/CVE-2024-46823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the 'overflow_allocation_test' function scope. However, it is being used as a driver name when calling 'kunit_driver_create' from 'kunit_device_register'. It produces the kernel panic with KASAN enabled. Since this variable is used in one place only, remove it and pass the device name into kunit_device_register directly as an ascii string.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46834", "url": "https://ubuntu.com/security/CVE-2024-46834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 (\"bnxt: fix crashes when reducing ring count with active RSS contexts\") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46751", "url": "https://ubuntu.com/security/CVE-2024-46751", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46753", "url": "https://ubuntu.com/security/CVE-2024-46753", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46841", "url": "https://ubuntu.com/security/CVE-2024-46841", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46754", "url": "https://ubuntu.com/security/CVE-2024-46754", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a (\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46824", "url": "https://ubuntu.com/security/CVE-2024-46824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls with something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9 Hardware name: linux,dummy-virt (DT) pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c) pc : 0x0 lr : iommufd_hwpt_invalidate+0xa4/0x204 sp : ffff800080f3bcc0 x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0 x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000 x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002 x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80 Call trace: 0x0 iommufd_fops_ioctl+0x154/0x274 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xb4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 All existing drivers implement this op for nesting, this is mostly a bisection aid.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46842", "url": "https://ubuntu.com/security/CVE-2024-46842", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46766", "url": "https://ubuntu.com/security/CVE-2024-46766", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: move netif_queue_set_napi to rtnl-protected sections Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnl_lock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point. Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked. Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below. [ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] [ +0.000002] dump_stack_lvl+0x60/0x80 [ +0.000007] print_report+0xce/0x630 [ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000007] ? __virt_addr_valid+0x1c9/0x2c0 [ +0.000005] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000003] kasan_report+0xe9/0x120 [ +0.000004] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000004] netif_queue_set_napi+0x1c2/0x1e0 [ +0.000005] ice_vsi_close+0x161/0x670 [ice] [ +0.000114] ice_dis_vsi+0x22f/0x270 [ice] [ +0.000095] ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] ice_prepare_for_reset+0x299/0x750 [ice] [ +0.000087] pci_dev_save_and_disable+0x82/0xd0 [ +0.000006] pci_reset_function+0x12d/0x230 [ +0.000004] reset_store+0xa0/0x100 [ +0.000006] ? __pfx_reset_store+0x10/0x10 [ +0.000002] ? __pfx_mutex_lock+0x10/0x10 [ +0.000004] ? __check_object_size+0x4c1/0x640 [ +0.000007] kernfs_fop_write_iter+0x30b/0x4a0 [ +0.000006] vfs_write+0x5d6/0xdf0 [ +0.000005] ? fd_install+0x180/0x350 [ +0.000005] ? __pfx_vfs_write+0x10/0xA10 [ +0.000004] ? do_fcntl+0x52c/0xcd0 [ +0.000004] ? kasan_save_track+0x13/0x60 [ +0.000003] ? kasan_save_free_info+0x37/0x60 [ +0.000006] ksys_write+0xfa/0x1d0 [ +0.000003] ? __pfx_ksys_write+0x10/0x10 [ +0.000002] ? __x64_sys_fcntl+0x121/0x180 [ +0.000004] ? _raw_spin_lock+0x87/0xe0 [ +0.000005] do_syscall_64+0x80/0x170 [ +0.000007] ? _raw_spin_lock+0x87/0xe0 [ +0.000004] ? __pfx__raw_spin_lock+0x10/0x10 [ +0.000003] ? file_close_fd_locked+0x167/0x230 [ +0.000005] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000005] ? do_syscall_64+0x8c/0x170 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filp_close+0x19/0x30 [ +0.000004] ? do_dup2+0x25a/0x4c0 [ +0.000004] ? __x64_sys_dup2+0x6e/0x2e0 [ +0.000002] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? __count_memcg_events+0x113/0x380 [ +0.000005] ? handle_mm_fault+0x136/0x820 [ +0.000005] ? do_user_addr_fault+0x444/0xa80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000002] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46772", "url": "https://ubuntu.com/security/CVE-2024-46772", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46774", "url": "https://ubuntu.com/security/CVE-2024-46774", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46775", "url": "https://ubuntu.com/security/CVE-2024-46775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46778", "url": "https://ubuntu.com/security/CVE-2024-46778", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46779", "url": "https://ubuntu.com/security/CVE-2024-46779", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46792", "url": "https://ubuntu.com/security/CVE-2024-46792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46793", "url": "https://ubuntu.com/security/CVE-2024-46793", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy Component via COMP_DUMMY()\") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the \"dummy\" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 (\"ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards\") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46735", "url": "https://ubuntu.com/security/CVE-2024-46735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46737", "url": "https://ubuntu.com/security/CVE-2024-46737", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46822", "url": "https://ubuntu.com/security/CVE-2024-46822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46713", "url": "https://ubuntu.com/security/CVE-2024-46713", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.", "cve_priority": "medium", "cve_public_date": "2024-09-13 15:15:00 UTC" }, { "cve": "CVE-2024-46739", "url": "https://ubuntu.com/security/CVE-2024-46739", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46740", "url": "https://ubuntu.com/security/CVE-2024-46740", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46741", "url": "https://ubuntu.com/security/CVE-2024-46741", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47663", "url": "https://ubuntu.com/security/CVE-2024-47663", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46832", "url": "https://ubuntu.com/security/CVE-2024-46832", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU. We also skipped saving IRQ number to struct clock_event_device *cd as it's never used by clockevent core, as per comments it's only meant for \"non CPU local devices\".", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47668", "url": "https://ubuntu.com/security/CVE-2024-47668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46744", "url": "https://ubuntu.com/security/CVE-2024-46744", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a \"KMSAN: uninit-value in pick_link\" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46745", "url": "https://ubuntu.com/security/CVE-2024-46745", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46746", "url": "https://ubuntu.com/security/CVE-2024-46746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47664", "url": "https://ubuntu.com/security/CVE-2024-47664", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-47665", "url": "https://ubuntu.com/security/CVE-2024-47665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Definitely condition dma_get_cache_alignment * defined value > 256 during driver initialization is not reason to BUG_ON(). Turn that to graceful error out with -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46749", "url": "https://ubuntu.com/security/CVE-2024-46749", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46750", "url": "https://ubuntu.com/security/CVE-2024-46750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the \"bus\" and \"cxl_bus\" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46752", "url": "https://ubuntu.com/security/CVE-2024-46752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory).", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46840", "url": "https://ubuntu.com/security/CVE-2024-46840", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46755", "url": "https://ubuntu.com/security/CVE-2024-46755", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid=\"somessid\" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk=\"12345678\" } When waiting for the AP to be established, interrupting wpa_supplicant with and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47666", "url": "https://ubuntu.com/security/CVE-2024-47666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46843", "url": "https://ubuntu.com/security/CVE-2024-46843", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause a kernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before adding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host has been defered after MCQ configuration introduced by commit 0cab4023ec7b (\"scsi: ufs: core: Defer adding host to SCSI if MCQ is supported\"). To guarantee that SCSI host is removed only if it has been added, set the scsi_host_added flag to true after adding a SCSI host and check whether it is set or not before removing it.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46760", "url": "https://ubuntu.com/security/CVE-2024-46760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46761", "url": "https://ubuntu.com/security/CVE-2024-46761", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46844", "url": "https://ubuntu.com/security/CVE-2024-46844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46762", "url": "https://ubuntu.com/security/CVE-2024-46762", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. Use SRCU locking to prevent the same, as is done for the KVM implementation for irqfds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46763", "url": "https://ubuntu.com/security/CVE-2024-46763", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46765", "url": "https://ubuntu.com/security/CVE-2024-46765", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46767", "url": "https://ubuntu.com/security/CVE-2024-46767", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46768", "url": "https://ubuntu.com/security/CVE-2024-46768", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can be NULL. Check for such a situation and ignore the event in such a case.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46770", "url": "https://ubuntu.com/security/CVE-2024-46770", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: \t# echo 1 > /sys/class/net//device/reset when reset is in progress try to get coalesce settings using ethtool: \t# ethtool -c BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46771", "url": "https://ubuntu.com/security/CVE-2024-46771", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46773", "url": "https://ubuntu.com/security/CVE-2024-46773", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47667", "url": "https://ubuntu.com/security/CVE-2024-47667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 (SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an inbound PCIe TLP spans more than two internal AXI 128-byte bursts, the bus may corrupt the packet payload and the corrupt data may cause associated applications or the processor to hang. The workaround for Errata #i2037 is to limit the maximum read request size and maximum payload size to 128 bytes. Add workaround for Errata #i2037 here. The errata and workaround is applicable only to AM65x SR 1.0 and later versions of the silicon will have this fixed. [1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46835", "url": "https://ubuntu.com/security/CVE-2024-46835", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46776", "url": "https://ubuntu.com/security/CVE-2024-46776", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46836", "url": "https://ubuntu.com/security/CVE-2024-46836", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46777", "url": "https://ubuntu.com/security/CVE-2024-46777", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46825", "url": "https://ubuntu.com/security/CVE-2024-46825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is normally called with input from the firmware, so it should use IWL_FW_CHECK() instead of WARN_ON().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46827", "url": "https://ubuntu.com/security/CVE-2024-46827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. This issue arises when EHT-PHY capabilities shows support for a bandwidth and MCS-NSS set for that particular bandwidth is filled by zeros and due to this, driver obtains peer_nss as 0 and sending this value to firmware causes crash. Address this issue by implementing a validation step for the peer_nss value before passing it to the firmware. If the value is greater than zero, proceed with forwarding it to the firmware. However, if the value is invalid, reject the association request to prevent potential firmware crashes. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47669", "url": "https://ubuntu.com/security/CVE-2024-47669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 (\"nilfs2: separate wait function from nilfs_segctor_write\") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the \"sc_dirty_files\" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46780", "url": "https://ubuntu.com/security/CVE-2024-46780", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore \"nilfs->ns_sem\". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46781", "url": "https://ubuntu.com/security/CVE-2024-46781", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46828", "url": "https://ubuntu.com/security/CVE-2024-46828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46782", "url": "https://ubuntu.com/security/CVE-2024-46782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46783", "url": "https://ubuntu.com/security/CVE-2024-46783", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46784", "url": "https://ubuntu.com/security/CVE-2024-46784", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46785", "url": "https://ubuntu.com/security/CVE-2024-46785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo \"p:kp submit_bio\" > /sys/kernel/debug/tracing/kprobe_events echo \"\" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46786", "url": "https://ubuntu.com/security/CVE-2024-46786", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46787", "url": "https://ubuntu.com/security/CVE-2024-46787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ pmdp_get_lockless() [reads none pmd] __pte_alloc [no-op] BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow pte_offset_map[_lock]() to fail\"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no \"struct page\" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding \"struct page\" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46838", "url": "https://ubuntu.com/security/CVE-2024-46838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in file mappings without holding the mmap lock, these BUG_ON()s are wrong - get rid of them. We could also remove the preceding \"if (unlikely(...))\" block, but then we could reach pte_offset_map_lock() with transhuge pages not just for file mappings but also for anonymous mappings - which would probably be fine but I think is not necessarily expected.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46845", "url": "https://ubuntu.com/security/CVE-2024-46845", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46788", "url": "https://ubuntu.com/security/CVE-2024-46788", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it \"exit\" before it actually exits. Since kthread ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46846", "url": "https://ubuntu.com/security/CVE-2024-46846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 (\"spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops\") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46847", "url": "https://ubuntu.com/security/CVE-2024-46847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 (\"mm: fix incorrect vbq reference in purge_fragmented_block\") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46791", "url": "https://ubuntu.com/security/CVE-2024-46791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46829", "url": "https://ubuntu.com/security/CVE-2024-46829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the good case it returns with the lock held and in the deadlock case it emits a warning and goes into an endless scheduling loop with the lock held, which triggers the 'scheduling in atomic' warning. Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning and dropping into the schedule for ever loop. [ tglx: Moved unlock before the WARN(), removed the pointless comment, \tmassaged changelog, added Fixes tag ]", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46848", "url": "https://ubuntu.com/security/CVE-2024-46848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46794", "url": "https://ubuntu.com/security/CVE-2024-46794", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46795", "url": "https://ubuntu.com/security/CVE-2024-46795", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46797", "url": "https://ubuntu.com/security/CVE-2024-46797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the \"next\" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's \"next\" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \\ --maximize --oomable --verify --syslog \\ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ? | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ? | Interrupt | (happens before \"nodes[0].lock = B\") | | | ? | spin_lock_irqsave(A) | | | ? | id = qnodesp->count++ | nodes[1].lock = A | | | ? | Tail of MCS queue | | spin_lock_irqsave(A) ? | Head of MCS queue ? | CPU0 is previous tail ? | Spin indefinitely ? (until \"nodes[1].next != NULL\") prev = get_tail_qnode(A, CPU0) | ? prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46830", "url": "https://ubuntu.com/security/CVE-2024-46830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory. Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS. ============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted ----------------------------- include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm] stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? kvm_vcpu_ioctl+0x7d/0x970 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? lock_acquire+0xba/0x2d0 ? find_held_lock+0x2b/0x80 ? do_user_addr_fault+0x40c/0x6f0 ? lock_release+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539 ", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46798", "url": "https://ubuntu.com/security/CVE-2024-46798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46831", "url": "https://ubuntu.com/security/CVE-2024-46831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46747", "url": "https://ubuntu.com/security/CVE-2024-46747", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46725", "url": "https://ubuntu.com/security/CVE-2024-46725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46724", "url": "https://ubuntu.com/security/CVE-2024-46724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46723", "url": "https://ubuntu.com/security/CVE-2024-46723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46743", "url": "https://ubuntu.com/security/CVE-2024-46743", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg=\"func of_irq_parse_* +p\"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46757", "url": "https://ubuntu.com/security/CVE-2024-46757", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775-core) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46759", "url": "https://ubuntu.com/security/CVE-2024-46759", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46758", "url": "https://ubuntu.com/security/CVE-2024-46758", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm95234) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46756", "url": "https://ubuntu.com/security/CVE-2024-46756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46738", "url": "https://ubuntu.com/security/CVE-2024-46738", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove().", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46722", "url": "https://ubuntu.com/security/CVE-2024-46722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-42284", "url": "https://ubuntu.com/security/CVE-2024-42284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44987", "url": "https://ubuntu.com/security/CVE-2024-44987", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" }, { "cve": "CVE-2024-42301", "url": "https://ubuntu.com/security/CVE-2024-42301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44998", "url": "https://ubuntu.com/security/CVE-2024-44998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference \"skb\" after calling vcc->push() because the skb is released.", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2090364, 2090369, 1786013, 2087886, 2086298, 2085849, 1786013, 2086301, 1786013, 2086138, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2085849, 2084513, 2084941, 2083022, 2078038, 2084526, 2084834, 2081079, 2084225, 2081786, 2084225, 2084005, 2082423, 2084005, 2064176, 2081863, 2081785, 2083182, 2083701, 2077861, 2083794, 2083656, 2083488, 2083022, 2083488, 2077287, 2083488, 2083196, 2083196 ], "changes": [ { "cves": [ { "cve": "CVE-2024-50264", "url": "https://ubuntu.com/security/CVE-2024-50264", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.", "cve_priority": "high", "cve_public_date": "2024-11-19 02:16:00 UTC" }, { "cve": "CVE-2024-53057", "url": "https://ubuntu.com/security/CVE-2024-53057", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed to be either root or ingress. This assumption is bogus since it's valid to create egress qdiscs with major handle ffff: Budimir Markovic found that for qdiscs like DRR that maintain an active class list, it will cause a UAF with a dangling class pointer. In 066a3b5b2346, the concern was to avoid iterating over the ingress qdisc since its parent is itself. The proper fix is to stop when parent TC_H_ROOT is reached because the only way to retrieve ingress is when a hierarchy which does not contain a ffff: major handle call into qdisc_lookup with TC_H_MAJ(TC_H_ROOT). In the scenario where major ffff: is an egress qdisc in any of the tree levels, the updates will also propagate to TC_H_ROOT, which then the iteration must stop. net/sched/sch_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)", "cve_priority": "medium", "cve_public_date": "2024-11-19 18:15:00 UTC" }, { "cve": "CVE-2024-49967", "url": "https://ubuntu.com/security/CVE-2024-49967", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ext4: no need to continue when the number of entries is 1", "cve_priority": "medium", "cve_public_date": "2024-10-21 18:15:00 UTC" } ], "log": [ "", " * noble/linux-riscv: 6.8.0-51.52.1 -proposed tracker (LP: #2090364)", "", " [ Ubuntu: 6.8.0-51.52 ]", "", " * noble/linux: 6.8.0-51.52 -proposed tracker (LP: #2090369)", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] update variants", " * MGLRU: kswapd uses 100% CPU when MGLRU is enabled and under memory pressure", " (LP: #2087886)", " - mm/mglru: only clear kswapd_failures if reclaimable", " * CVE-2024-50264", " - vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans", " * CVE-2024-53057", " - net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT", " * CVE-2024-49967", " - ext4: no need to continue when the number of entries is 1", "" ], "package": "linux-riscv", "version": "6.8.0-51.52.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2090364, 2090369, 1786013, 2087886 ], "author": "Emil Renner Berthing ", "date": "Mon, 09 Dec 2024 16:25:59 +0100" }, { "cves": [ { "cve": "CVE-2024-46823", "url": "https://ubuntu.com/security/CVE-2024-46823", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the 'overflow_allocation_test' function scope. However, it is being used as a driver name when calling 'kunit_driver_create' from 'kunit_device_register'. It produces the kernel panic with KASAN enabled. Since this variable is used in one place only, remove it and pass the device name into kunit_device_register directly as an ascii string.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46834", "url": "https://ubuntu.com/security/CVE-2024-46834", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 (\"bnxt: fix crashes when reducing ring count with active RSS contexts\") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46751", "url": "https://ubuntu.com/security/CVE-2024-46751", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info() Instead of doing a BUG_ON() handle the error by returning -EUCLEAN, aborting the transaction and logging an error message.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46753", "url": "https://ubuntu.com/security/CVE-2024-46753", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: handle errors from btrfs_dec_ref() properly In walk_up_proc() we BUG_ON(ret) from btrfs_dec_ref(). This is incorrect, we have proper error handling here, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46841", "url": "https://ubuntu.com/security/CVE-2024-46841", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46754", "url": "https://ubuntu.com/security/CVE-2024-46754", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a (\"ipv6: sr: Add seg6local action End.BPF\"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46824", "url": "https://ubuntu.com/security/CVE-2024-46824", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls with something like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000004 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101059000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000086000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 371 Comm: qemu-system-aar Not tainted 6.8.0-rc7-gde77230ac23a #9 Hardware name: linux,dummy-virt (DT) pstate: 81400809 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=-c) pc : 0x0 lr : iommufd_hwpt_invalidate+0xa4/0x204 sp : ffff800080f3bcc0 x29: ffff800080f3bcf0 x28: ffff0000c369b300 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000000 x22: 00000000c1e334a0 x21: ffff0000c1e334a0 x20: ffff800080f3bd38 x19: ffff800080f3bd58 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffff8240d6d8 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000001000000002 x7 : 0000fffeac1ec950 x6 : 0000000000000000 x5 : ffff800080f3bd78 x4 : 0000000000000003 x3 : 0000000000000002 x2 : 0000000000000000 x1 : ffff800080f3bcc8 x0 : ffff0000c6034d80 Call trace: 0x0 iommufd_fops_ioctl+0x154/0x274 __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x110 el0_svc_common.constprop.0+0x40/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x34/0xb4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x190/0x194 All existing drivers implement this op for nesting, this is mostly a bisection aid.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46842", "url": "https://ubuntu.com/security/CVE-2024-46842", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46766", "url": "https://ubuntu.com/security/CVE-2024-46766", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: move netif_queue_set_napi to rtnl-protected sections Currently, netif_queue_set_napi() is called from ice_vsi_rebuild() that is not rtnl-locked when called from the reset. This creates the need to take the rtnl_lock just for a single function and complicates the synchronization with .ndo_bpf. At the same time, there no actual need to fill napi-to-queue information at this exact point. Fill napi-to-queue information when opening the VSI and clear it when the VSI is being closed. Those routines are already rtnl-locked. Also, rewrite napi-to-queue assignment in a way that prevents inclusion of XDP queues, as this leads to out-of-bounds writes, such as one below. [ +0.000004] BUG: KASAN: slab-out-of-bounds in netif_queue_set_napi+0x1c2/0x1e0 [ +0.000012] Write of size 8 at addr ffff889881727c80 by task bash/7047 [ +0.000006] CPU: 24 PID: 7047 Comm: bash Not tainted 6.10.0-rc2+ #2 [ +0.000004] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000003] Call Trace: [ +0.000003] [ +0.000002] dump_stack_lvl+0x60/0x80 [ +0.000007] print_report+0xce/0x630 [ +0.000007] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ +0.000007] ? __virt_addr_valid+0x1c9/0x2c0 [ +0.000005] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000003] kasan_report+0xe9/0x120 [ +0.000004] ? netif_queue_set_napi+0x1c2/0x1e0 [ +0.000004] netif_queue_set_napi+0x1c2/0x1e0 [ +0.000005] ice_vsi_close+0x161/0x670 [ice] [ +0.000114] ice_dis_vsi+0x22f/0x270 [ice] [ +0.000095] ice_pf_dis_all_vsi.constprop.0+0xae/0x1c0 [ice] [ +0.000086] ice_prepare_for_reset+0x299/0x750 [ice] [ +0.000087] pci_dev_save_and_disable+0x82/0xd0 [ +0.000006] pci_reset_function+0x12d/0x230 [ +0.000004] reset_store+0xa0/0x100 [ +0.000006] ? __pfx_reset_store+0x10/0x10 [ +0.000002] ? __pfx_mutex_lock+0x10/0x10 [ +0.000004] ? __check_object_size+0x4c1/0x640 [ +0.000007] kernfs_fop_write_iter+0x30b/0x4a0 [ +0.000006] vfs_write+0x5d6/0xdf0 [ +0.000005] ? fd_install+0x180/0x350 [ +0.000005] ? __pfx_vfs_write+0x10/0xA10 [ +0.000004] ? do_fcntl+0x52c/0xcd0 [ +0.000004] ? kasan_save_track+0x13/0x60 [ +0.000003] ? kasan_save_free_info+0x37/0x60 [ +0.000006] ksys_write+0xfa/0x1d0 [ +0.000003] ? __pfx_ksys_write+0x10/0x10 [ +0.000002] ? __x64_sys_fcntl+0x121/0x180 [ +0.000004] ? _raw_spin_lock+0x87/0xe0 [ +0.000005] do_syscall_64+0x80/0x170 [ +0.000007] ? _raw_spin_lock+0x87/0xe0 [ +0.000004] ? __pfx__raw_spin_lock+0x10/0x10 [ +0.000003] ? file_close_fd_locked+0x167/0x230 [ +0.000005] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000005] ? do_syscall_64+0x8c/0x170 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? fput+0x1a/0x2c0 [ +0.000004] ? filp_close+0x19/0x30 [ +0.000004] ? do_dup2+0x25a/0x4c0 [ +0.000004] ? __x64_sys_dup2+0x6e/0x2e0 [ +0.000002] ? syscall_exit_to_user_mode+0x7d/0x220 [ +0.000004] ? do_syscall_64+0x8c/0x170 [ +0.000003] ? __count_memcg_events+0x113/0x380 [ +0.000005] ? handle_mm_fault+0x136/0x820 [ +0.000005] ? do_user_addr_fault+0x444/0xa80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000004] ? clear_bhb_loop+0x25/0x80 [ +0.000002] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7f2033593154", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46772", "url": "https://ubuntu.com/security/CVE-2024-46772", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator crb_pipes before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 2 DIVIDE_BY_ZERO issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46774", "url": "https://ubuntu.com/security/CVE-2024-46774", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas() Smatch warns: arch/powerpc/kernel/rtas.c:1932 __do_sys_rtas() warn: potential spectre issue 'args.args' [r] (local cap) The 'nargs' and 'nret' locals come directly from a user-supplied buffer and are used as indexes into a small stack-based array and as inputs to copy_to_user() after they are subject to bounds checks. Use array_index_nospec() after the bounds checks to clamp these values for speculative execution.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46775", "url": "https://ubuntu.com/security/CVE-2024-46775", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46778", "url": "https://ubuntu.com/security/CVE-2024-46778", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check UnboundedRequestEnabled's value CalculateSwathAndDETConfiguration_params_st's UnboundedRequestEnabled is a pointer (i.e. dml_bool_t *UnboundedRequestEnabled), and thus if (p->UnboundedRequestEnabled) checks its address, not bool value. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46779", "url": "https://ubuntu.com/security/CVE-2024-46779", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Free pvr_vm_gpuva after unlink This caused a measurable memory leak. Although the individual allocations are small, the leaks occurs in a high-usage codepath (remapping or unmapping device memory) so they add up quickly.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46792", "url": "https://ubuntu.com/security/CVE-2024-46792", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: riscv: misaligned: Restrict user access to kernel memory raw_copy_{to,from}_user() do not call access_ok(), so this code allowed userspace to access any virtual memory address.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46793", "url": "https://ubuntu.com/security/CVE-2024-46793", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder Since commit 13f58267cda3 (\"ASoC: soc.h: don't create dummy Component via COMP_DUMMY()\") dummy codecs declared like this: SND_SOC_DAILINK_DEF(dummy, DAILINK_COMP_ARRAY(COMP_DUMMY())); expand to: static struct snd_soc_dai_link_component dummy[] = { }; Which means that dummy is a zero sized array and thus dais[i].codecs should not be dereferenced *at all* since it points to the address of the next variable stored in the data section as the \"dummy\" variable has an address but no size, so even dereferencing dais[0] is already an out of bounds array reference. Which means that the if (dais[i].codecs->name) check added in commit 7d99a70b6595 (\"ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards\") relies on that the part of the next variable which the name member maps to just happens to be NULL. Which apparently so far it usually is, except when it isn't and then it results in crashes like this one: [ 28.795659] BUG: unable to handle page fault for address: 0000000000030011 ... [ 28.795780] Call Trace: [ 28.795787] ... [ 28.795862] ? strcmp+0x18/0x40 [ 28.795872] 0xffffffffc150c605 [ 28.795887] platform_probe+0x40/0xa0 ... [ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102] Really fix things this time around by checking dais.num_codecs != 0.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46735", "url": "https://ubuntu.com/security/CVE-2024-46735", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery() When two UBLK_CMD_START_USER_RECOVERY commands are submitted, the first one sets 'ubq->ubq_daemon' to NULL, and the second one triggers WARN in ublk_queue_reinit() and subsequently a NULL pointer dereference issue. Fix it by adding the check in ublk_ctrl_start_recovery() and return immediately in case of zero 'ub->nr_queues_ready'. BUG: kernel NULL pointer dereference, address: 0000000000000028 RIP: 0010:ublk_ctrl_start_recovery.constprop.0+0x82/0x180 Call Trace: ? __die+0x20/0x70 ? page_fault_oops+0x75/0x170 ? exc_page_fault+0x64/0x140 ? asm_exc_page_fault+0x22/0x30 ? ublk_ctrl_start_recovery.constprop.0+0x82/0x180 ublk_ctrl_uring_cmd+0x4f7/0x6c0 ? pick_next_task_idle+0x26/0x40 io_uring_cmd+0x9a/0x1b0 io_issue_sqe+0x193/0x3f0 io_wq_submit_work+0x9b/0x390 io_worker_handle_work+0x165/0x360 io_wq_worker+0xcb/0x2f0 ? finish_task_switch.isra.0+0x203/0x290 ? finish_task_switch.isra.0+0x203/0x290 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_io_wq_worker+0x10/0x10 ret_from_fork_asm+0x1a/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46737", "url": "https://ubuntu.com/security/CVE-2024-46737", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix kernel crash if commands allocation fails If the commands allocation fails in nvmet_tcp_alloc_cmds() the kernel crashes in nvmet_tcp_release_queue_work() because of a NULL pointer dereference. nvmet: failed to install queue 0 cntlid 1 ret 6 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Fix the bug by setting queue->nr_cmds to zero in case nvmet_tcp_alloc_cmd() fails.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46822", "url": "https://ubuntu.com/security/CVE-2024-46822", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry In a review discussion of the changes to support vCPU hotplug where a check was added on the GICC being enabled if was online, it was noted that there is need to map back to the cpu and use that to index into a cpumask. As such, a valid ID is needed. If an MPIDR check fails in acpi_map_gic_cpu_interface() it is possible for the entry in cpu_madt_gicc[cpu] == NULL. This function would then cause a NULL pointer dereference. Whilst a path to trigger this has not been established, harden this caller against the possibility.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46713", "url": "https://ubuntu.com/security/CVE-2024-46713", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/aux: Fix AUX buffer serialization Ole reported that event->mmap_mutex is strictly insufficient to serialize the AUX buffer, add a per RB mutex to fully serialize it. Note that in the lock order comment the perf_event::mmap_mutex order was already wrong, that is, it nesting under mmap_lock is not new with this patch.", "cve_priority": "medium", "cve_public_date": "2024-09-13 15:15:00 UTC" }, { "cve": "CVE-2024-46739", "url": "https://ubuntu.com/security/CVE-2024-46739", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind For primary VM Bus channels, primary_channel pointer is always NULL. This pointer is valid only for the secondary channels. Also, rescind callback is meant for primary channels only. Fix NULL pointer dereference by retrieving the device_obj from the parent for the primary channel.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46740", "url": "https://ubuntu.com/security/CVE-2024-46740", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF caused by offsets overwrite Binder objects are processed and copied individually into the target buffer during transactions. Any raw data in-between these objects is copied as well. However, this raw data copy lacks an out-of-bounds check. If the raw data exceeds the data section size then the copy overwrites the offsets section. This eventually triggers an error that attempts to unwind the processed objects. However, at this point the offsets used to index these objects are now corrupted. Unwinding with corrupted offsets can result in decrements of arbitrary nodes and lead to their premature release. Other users of such nodes are left with a dangling pointer triggering a use-after-free. This issue is made evident by the following KASAN report (trimmed): ================================================================== BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c Write of size 4 at addr ffff47fc91598f04 by task binder-util/743 CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1 Hardware name: linux,dummy-virt (DT) Call trace: _raw_spin_lock+0xe4/0x19c binder_free_buf+0x128/0x434 binder_thread_write+0x8a4/0x3260 binder_ioctl+0x18f0/0x258c [...] Allocated by task 743: __kmalloc_cache_noprof+0x110/0x270 binder_new_node+0x50/0x700 binder_transaction+0x413c/0x6da8 binder_thread_write+0x978/0x3260 binder_ioctl+0x18f0/0x258c [...] Freed by task 745: kfree+0xbc/0x208 binder_thread_read+0x1c5c/0x37d4 binder_ioctl+0x16d8/0x258c [...] ================================================================== To avoid this issue, let's check that the raw data copy is within the boundaries of the data section.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46741", "url": "https://ubuntu.com/security/CVE-2024-46741", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix double free of 'buf' in error path smatch warning: drivers/misc/fastrpc.c:1926 fastrpc_req_mmap() error: double free of 'buf' In fastrpc_req_mmap() error path, the fastrpc buffer is freed in fastrpc_req_munmap_impl() if unmap is successful. But in the end, there is an unconditional call to fastrpc_buf_free(). So the above case triggers the double free of fastrpc buf.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47663", "url": "https://ubuntu.com/security/CVE-2024-47663", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46832", "url": "https://ubuntu.com/security/CVE-2024-46832", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU. We also skipped saving IRQ number to struct clock_event_device *cd as it's never used by clockevent core, as per comments it's only meant for \"non CPU local devices\".", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47668", "url": "https://ubuntu.com/security/CVE-2024-47668", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46744", "url": "https://ubuntu.com/security/CVE-2024-46744", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size Syzkiller reports a \"KMSAN: uninit-value in pick_link\" bug. This is caused by an uninitialised page, which is ultimately caused by a corrupted symbolic link size read from disk. The reason why the corrupted symlink size causes an uninitialised page is due to the following sequence of events: 1. squashfs_read_inode() is called to read the symbolic link from disk. This assigns the corrupted value 3875536935 to inode->i_size. 2. Later squashfs_symlink_read_folio() is called, which assigns this corrupted value to the length variable, which being a signed int, overflows producing a negative number. 3. The following loop that fills in the page contents checks that the copied bytes is less than length, which being negative means the loop is skipped, producing an uninitialised page. This patch adds a sanity check which checks that the symbolic link size is not larger than expected. -- V2: fix spelling mistake.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46745", "url": "https://ubuntu.com/security/CVE-2024-46745", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46746", "url": "https://ubuntu.com/security/CVE-2024-46746", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: free driver_data after destroying hid device HID driver callbacks aren't called anymore once hid_destroy_device() has been called. Hence, hid driver_data should be freed only after the hid_destroy_device() function returned as driver_data is used in several callbacks. I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling KASAN to debug memory allocation, I got this output: [ 13.050438] ================================================================== [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh] [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3 [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479 [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0 [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024 [ 13.067860] Call Trace: [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8 [ 13.071486] [ 13.071492] dump_stack_lvl+0x5d/0x80 [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002) [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.082199] print_report+0x174/0x505 [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.097464] kasan_report+0xc8/0x150 [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38] [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082] [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5] [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0 [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b] [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.150446] ? __devm_add_action+0x167/0x1d0 [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.161814] platform_probe+0xa2/0x150 [ 13.165029] really_probe+0x1e3/0x8a0 [ 13.168243] __driver_probe_device+0x18c/0x370 [ 13.171500] driver_probe_device+0x4a/0x120 [ 13.175000] __driver_attach+0x190/0x4a0 [ 13.178521] ? __pfx___driver_attach+0x10/0x10 [ 13.181771] bus_for_each_dev+0x106/0x180 [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10 [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10 [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.194382] bus_add_driver+0x29e/0x4d0 [ 13.197328] driver_register+0x1a5/0x360 [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172] [ 13.203362] do_one_initcall+0xa7/0x380 [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10 [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5 [ 13.213211] ? kasan_unpoison+0x44/0x70 [ 13.216688] do_init_module+0x238/0x750 [ 13.2196 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47664", "url": "https://ubuntu.com/security/CVE-2024-47664", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-47665", "url": "https://ubuntu.com/security/CVE-2024-47665", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Definitely condition dma_get_cache_alignment * defined value > 256 during driver initialization is not reason to BUG_ON(). Turn that to graceful error out with -EINVAL.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46749", "url": "https://ubuntu.com/security/CVE-2024-46749", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush() This adds a check before freeing the rx->skb in flush and close functions to handle the kernel crash seen while removing driver after FW download fails or before FW download completes. dmesg log: [ 54.634586] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000080 [ 54.643398] Mem abort info: [ 54.646204] ESR = 0x0000000096000004 [ 54.649964] EC = 0x25: DABT (current EL), IL = 32 bits [ 54.655286] SET = 0, FnV = 0 [ 54.658348] EA = 0, S1PTW = 0 [ 54.661498] FSC = 0x04: level 0 translation fault [ 54.666391] Data abort info: [ 54.669273] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 54.674768] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 54.674771] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 54.674775] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000048860000 [ 54.674780] [0000000000000080] pgd=0000000000000000, p4d=0000000000000000 [ 54.703880] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 54.710152] Modules linked in: btnxpuart(-) overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_micfil snd_soc_fsl_spdif snd_soc_fsl_sai snd_soc_fsl_utils imx_pcm_dma gpio_ir_recv rc_core sch_fq_codel fuse [ 54.744357] CPU: 3 PID: 72 Comm: kworker/u9:0 Not tainted 6.6.3-otbr-g128004619037 #2 [ 54.744364] Hardware name: FSL i.MX8MM EVK board (DT) [ 54.744368] Workqueue: hci0 hci_power_on [ 54.757244] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 54.757249] pc : kfree_skb_reason+0x18/0xb0 [ 54.772299] lr : btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.782921] sp : ffff8000805ebca0 [ 54.782923] x29: ffff8000805ebca0 x28: ffffa5c6cf1869c0 x27: ffffa5c6cf186000 [ 54.782931] x26: ffff377b84852400 x25: ffff377b848523c0 x24: ffff377b845e7230 [ 54.782938] x23: ffffa5c6ce8dbe08 x22: ffffa5c6ceb65410 x21: 00000000ffffff92 [ 54.782945] x20: ffffa5c6ce8dbe98 x19: ffffffffffffffac x18: ffffffffffffffff [ 54.807651] x17: 0000000000000000 x16: ffffa5c6ce2824ec x15: ffff8001005eb857 [ 54.821917] x14: 0000000000000000 x13: ffffa5c6cf1a02e0 x12: 0000000000000642 [ 54.821924] x11: 0000000000000040 x10: ffffa5c6cf19d690 x9 : ffffa5c6cf19d688 [ 54.821931] x8 : ffff377b86000028 x7 : 0000000000000000 x6 : 0000000000000000 [ 54.821938] x5 : ffff377b86000000 x4 : 0000000000000000 x3 : 0000000000000000 [ 54.843331] x2 : 0000000000000000 x1 : 0000000000000002 x0 : ffffffffffffffac [ 54.857599] Call trace: [ 54.857601] kfree_skb_reason+0x18/0xb0 [ 54.863878] btnxpuart_flush+0x40/0x58 [btnxpuart] [ 54.863888] hci_dev_open_sync+0x3a8/0xa04 [ 54.872773] hci_power_on+0x54/0x2e4 [ 54.881832] process_one_work+0x138/0x260 [ 54.881842] worker_thread+0x32c/0x438 [ 54.881847] kthread+0x118/0x11c [ 54.881853] ret_from_fork+0x10/0x20 [ 54.896406] Code: a9be7bfd 910003fd f9000bf3 aa0003f3 (b940d400) [ 54.896410] ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46750", "url": "https://ubuntu.com/security/CVE-2024-46750", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() One of the true positives that the cfg_access_lock lockdep effort identified is this sequence: WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70 RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70 Call Trace: ? __warn+0x8c/0x190 ? pci_bridge_secondary_bus_reset+0x5d/0x70 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? pci_bridge_secondary_bus_reset+0x5d/0x70 pci_reset_bus+0x1d8/0x270 vmd_probe+0x778/0xa10 pci_device_probe+0x95/0x120 Where pci_reset_bus() users are triggering unlocked secondary bus resets. Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses pci_bus_lock() before issuing the reset which locks everything *but* the bridge itself. For the same motivation as adding: bridge = pci_upstream_bridge(dev); if (bridge) pci_dev_lock(bridge); to pci_reset_function() for the \"bus\" and \"cxl_bus\" reset cases, add pci_dev_lock() for @bus->self to pci_bus_lock(). [bhelgaas: squash in recursive locking deadlock fix from Keith Busch: https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46752", "url": "https://ubuntu.com/security/CVE-2024-46752", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: replace BUG_ON() with error handling at update_ref_for_cow() Instead of a BUG_ON() just return an error, log an error message and abort the transaction in case we find an extent buffer belonging to the relocation tree that doesn't have the full backref flag set. This is unexpected and should never happen (save for bugs or a potential bad memory).", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46840", "url": "https://ubuntu.com/security/CVE-2024-46840", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46755", "url": "https://ubuntu.com/security/CVE-2024-46755", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() mwifiex_get_priv_by_id() returns the priv pointer corresponding to the bss_num and bss_type, but without checking if the priv is actually currently in use. Unused priv pointers do not have a wiphy attached to them which can lead to NULL pointer dereferences further down the callstack. Fix this by returning only used priv pointers which have priv->bss_mode set to something else than NL80211_IFTYPE_UNSPECIFIED. Said NULL pointer dereference happened when an Accesspoint was started with wpa_supplicant -i mlan0 with this config: network={ ssid=\"somessid\" mode=2 frequency=2412 key_mgmt=WPA-PSK WPA-PSK-SHA256 proto=RSN group=CCMP pairwise=CCMP psk=\"12345678\" } When waiting for the AP to be established, interrupting wpa_supplicant with and starting it again this happens: | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140 | Mem abort info: | ESR = 0x0000000096000004 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x04: level 0 translation fault | Data abort info: | ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 | CM = 0, WnR = 0, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000 | [0000000000000140] pgd=0000000000000000, p4d=0000000000000000 | Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP | Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio +mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs +imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6 | CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18 | Hardware name: somemachine (DT) | Workqueue: events sdio_irq_work | pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex] | lr : mwifiex_get_cfp+0x34/0x15c [mwifiex] | sp : ffff8000818b3a70 | x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004 | x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9 | x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000 | x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000 | x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517 | x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1 | x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157 | x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124 | x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000 | x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000 | Call trace: | mwifiex_get_cfp+0xd8/0x15c [mwifiex] | mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex] | mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex] | mwifiex_process_sta_event+0x298/0xf0c [mwifiex] | mwifiex_process_event+0x110/0x238 [mwifiex] | mwifiex_main_process+0x428/0xa44 [mwifiex] | mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio] | process_sdio_pending_irqs+0x64/0x1b8 | sdio_irq_work+0x4c/0x7c | process_one_work+0x148/0x2a0 | worker_thread+0x2fc/0x40c | kthread+0x110/0x114 | ret_from_fork+0x10/0x20 | Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000) | ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47666", "url": "https://ubuntu.com/security/CVE-2024-47666", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm80xx: Set phy->enable_completion only when we wait for it pm8001_phy_control() populates the enable_completion pointer with a stack address, sends a PHY_LINK_RESET / PHY_HARD_RESET, waits 300 ms, and returns. The problem arises when a phy control response comes late. After 300 ms the pm8001_phy_control() function returns and the passed enable_completion stack address is no longer valid. Late phy control response invokes complete() on a dangling enable_completion pointer which leads to a kernel crash.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46843", "url": "https://ubuntu.com/security/CVE-2024-46843", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause a kernel panic if ufshcd_async_scan fails during ufshcd_probe_hba before adding a SCSI host with scsi_add_host and MCQ is enabled since SCSI host has been defered after MCQ configuration introduced by commit 0cab4023ec7b (\"scsi: ufs: core: Defer adding host to SCSI if MCQ is supported\"). To guarantee that SCSI host is removed only if it has been added, set the scsi_host_added flag to true after adding a SCSI host and check whether it is set or not before removing it.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46760", "url": "https://ubuntu.com/security/CVE-2024-46760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: usb: schedule rx work after everything is set up Right now it's possible to hit NULL pointer dereference in rtw_rx_fill_rx_status on hw object and/or its fields because initialization routine can start getting USB replies before rtw_dev is fully setup. The stack trace looks like this: rtw_rx_fill_rx_status rtw8821c_query_rx_desc rtw_usb_rx_handler ... queue_work rtw_usb_read_port_complete ... usb_submit_urb rtw_usb_rx_resubmit rtw_usb_init_rx rtw_usb_probe So while we do the async stuff rtw_usb_probe continues and calls rtw_register_hw, which does all kinds of initialization (e.g. via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on. Fix this by moving the first usb_submit_urb after everything is set up. For me, this bug manifested as: [ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped [ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status because I'm using Larry's backport of rtw88 driver with the NULL checks in rtw_rx_fill_rx_status.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46761", "url": "https://ubuntu.com/security/CVE-2024-46761", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel crash when we try to hot-unplug/disable the PCIe switch/bridge from the PHB. The crash occurs because although the MSI data structure has been released during disable/hot-unplug path and it has been assigned with NULL, still during unregistration the code was again trying to explicitly disable the MSI which causes the NULL pointer dereference and kernel crash. The patch fixes the check during unregistration path to prevent invoking pci_disable_msi/msix() since its data structure is already freed.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46844", "url": "https://ubuntu.com/security/CVE-2024-46844", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I have encountered cases where it's still printed; initialize it in all possible cases in setup_one_line().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46762", "url": "https://ubuntu.com/security/CVE-2024-46762", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: xen: privcmd: Fix possible access to a freed kirqfd instance Nothing prevents simultaneous ioctl calls to privcmd_irqfd_assign() and privcmd_irqfd_deassign(). If that happens, it is possible that a kirqfd created and added to the irqfds_list by privcmd_irqfd_assign() may get removed by another thread executing privcmd_irqfd_deassign(), while the former is still using it after dropping the locks. This can lead to a situation where an already freed kirqfd instance may be accessed and cause kernel oops. Use SRCU locking to prevent the same, as is done for the KVM implementation for irqfds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46763", "url": "https://ubuntu.com/security/CVE-2024-46763", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fou: Fix null-ptr-deref in GRO. We observed a null-ptr-deref in fou_gro_receive() while shutting down a host. [0] The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol in struct fou. When fou_release() is called due to netns dismantle or explicit tunnel teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data. Then, the tunnel socket is destroyed after a single RCU grace period. So, in-flight udp4_gro_receive() could find the socket and execute the FOU GRO handler, where sk->sk_user_data could be NULL. Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL checks in FOU GRO handlers. [0]: BUG: kernel NULL pointer dereference, address: 0000000000000008 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0 SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1 Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017 RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou] Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42 RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297 RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010 RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08 RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002 R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400 R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0 FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259) ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420) ? no_context (arch/x86/mm/fault.c:752) ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483) ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571) ? fou_gro_receive (net/ipv4/fou.c:233) [fou] udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559) udp4_gro_receive (net/ipv4/udp_offload.c:604) inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7)) dev_gro_receive (net/core/dev.c:6035 (discriminator 4)) napi_gro_receive (net/core/dev.c:6170) ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena] ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena] napi_poll (net/core/dev.c:6847) net_rx_action (net/core/dev.c:6917) __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299) asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809) do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77) irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435) common_interrupt (arch/x86/kernel/irq.c:239) asm_common_interrupt (arch/x86/include/asm/idtentry.h:626) RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575) Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246 RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900 RDX: ffff93daee800000 RSI: ffff93d ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46765", "url": "https://ubuntu.com/security/CVE-2024-46765", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: protect XDP configuration with a mutex The main threat to data consistency in ice_xdp() is a possible asynchronous PF reset. It can be triggered by a user or by TX timeout handler. XDP setup and PF reset code access the same resources in the following sections: * ice_vsi_close() in ice_prepare_for_reset() - already rtnl-locked * ice_vsi_rebuild() for the PF VSI - not protected * ice_vsi_open() - already rtnl-locked With an unfortunate timing, such accesses can result in a crash such as the one below: [ +1.999878] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 14 [ +2.002992] ice 0000:b1:00.0: Registered XDP mem model MEM_TYPE_XSK_BUFF_POOL on Rx ring 18 [Mar15 18:17] ice 0000:b1:00.0 ens801f0np0: NETDEV WATCHDOG: CPU: 38: transmit queue 14 timed out 80692736 ms [ +0.000093] ice 0000:b1:00.0 ens801f0np0: tx_timeout: VSI_num: 6, Q 14, NTC: 0x0, HW_HEAD: 0x0, NTU: 0x0, INT: 0x4000001 [ +0.000012] ice 0000:b1:00.0 ens801f0np0: tx_timeout recovery level 1, txqueue 14 [ +0.394718] ice 0000:b1:00.0: PTP reset successful [ +0.006184] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ +0.000045] #PF: supervisor read access in kernel mode [ +0.000023] #PF: error_code(0x0000) - not-present page [ +0.000023] PGD 0 P4D 0 [ +0.000018] Oops: 0000 [#1] PREEMPT SMP NOPTI [ +0.000023] CPU: 38 PID: 7540 Comm: kworker/38:1 Not tainted 6.8.0-rc7 #1 [ +0.000031] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0014.082620210524 08/26/2021 [ +0.000036] Workqueue: ice ice_service_task [ice] [ +0.000183] RIP: 0010:ice_clean_tx_ring+0xa/0xd0 [ice] [...] [ +0.000013] Call Trace: [ +0.000016] [ +0.000014] ? __die+0x1f/0x70 [ +0.000029] ? page_fault_oops+0x171/0x4f0 [ +0.000029] ? schedule+0x3b/0xd0 [ +0.000027] ? exc_page_fault+0x7b/0x180 [ +0.000022] ? asm_exc_page_fault+0x22/0x30 [ +0.000031] ? ice_clean_tx_ring+0xa/0xd0 [ice] [ +0.000194] ice_free_tx_ring+0xe/0x60 [ice] [ +0.000186] ice_destroy_xdp_rings+0x157/0x310 [ice] [ +0.000151] ice_vsi_decfg+0x53/0xe0 [ice] [ +0.000180] ice_vsi_rebuild+0x239/0x540 [ice] [ +0.000186] ice_vsi_rebuild_by_type+0x76/0x180 [ice] [ +0.000145] ice_rebuild+0x18c/0x840 [ice] [ +0.000145] ? delay_tsc+0x4a/0xc0 [ +0.000022] ? delay_tsc+0x92/0xc0 [ +0.000020] ice_do_reset+0x140/0x180 [ice] [ +0.000886] ice_service_task+0x404/0x1030 [ice] [ +0.000824] process_one_work+0x171/0x340 [ +0.000685] worker_thread+0x277/0x3a0 [ +0.000675] ? preempt_count_add+0x6a/0xa0 [ +0.000677] ? _raw_spin_lock_irqsave+0x23/0x50 [ +0.000679] ? __pfx_worker_thread+0x10/0x10 [ +0.000653] kthread+0xf0/0x120 [ +0.000635] ? __pfx_kthread+0x10/0x10 [ +0.000616] ret_from_fork+0x2d/0x50 [ +0.000612] ? __pfx_kthread+0x10/0x10 [ +0.000604] ret_from_fork_asm+0x1b/0x30 [ +0.000604] The previous way of handling this through returning -EBUSY is not viable, particularly when destroying AF_XDP socket, because the kernel proceeds with removal anyway. There is plenty of code between those calls and there is no need to create a large critical section that covers all of them, same as there is no need to protect ice_vsi_rebuild() with rtnl_lock(). Add xdp_state_lock mutex to protect ice_vsi_rebuild() and ice_xdp(). Leaving unprotected sections in between would result in two states that have to be considered: 1. when the VSI is closed, but not yet rebuild 2. when VSI is already rebuild, but not yet open The latter case is actually already handled through !netif_running() case, we just need to adjust flag checking a little. The former one is not as trivial, because between ice_vsi_close() and ice_vsi_rebuild(), a lot of hardware interaction happens, this can make adding/deleting rings exit with an error. Luckily, VSI rebuild is pending and can apply new configuration for us in a managed fashion. Therefore, add an additional VSI state flag ICE_VSI_REBUILD_PENDING to indicate that ice_x ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46767", "url": "https://ubuntu.com/security/CVE-2024-46767", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incremented for leds, if it succeeds, it should call of_node_put() to decrease it, fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46768", "url": "https://ubuntu.com/security/CVE-2024-46768", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (hp-wmi-sensors) Check if WMI event data exists The BIOS can choose to return no event data in response to a WMI event, so the ACPI object passed to the WMI notify handler can be NULL. Check for such a situation and ignore the event in such a case.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46770", "url": "https://ubuntu.com/security/CVE-2024-46770", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: \t# echo 1 > /sys/class/net//device/reset when reset is in progress try to get coalesce settings using ethtool: \t# ethtool -c BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46771", "url": "https://ubuntu.com/security/CVE-2024-46771", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: bcm: Remove proc entry when dev is unregistered. syzkaller reported a warning in bcm_connect() below. [0] The repro calls connect() to vxcan1, removes vxcan1, and calls connect() with ifindex == 0. Calling connect() for a BCM socket allocates a proc entry. Then, bcm_sk(sk)->bound is set to 1 to prevent further connect(). However, removing the bound device resets bcm_sk(sk)->bound to 0 in bcm_notify(). The 2nd connect() tries to allocate a proc entry with the same name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the original proc entry. Since the proc entry is available only for connect()ed sockets, let's clean up the entry when the bound netdev is unregistered. [0]: proc_dir_entry 'can-bcm/2456' already registered WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375 Modules linked in: CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375 Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48 RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246 RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0 R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220 bcm_connect+0x472/0x840 net/can/bcm.c:1673 __sys_connect_file net/socket.c:2049 [inline] __sys_connect+0x5d2/0x690 net/socket.c:2066 __do_sys_connect net/socket.c:2076 [inline] __se_sys_connect net/socket.c:2073 [inline] __x64_sys_connect+0x8f/0x100 net/socket.c:2073 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7fbd708b0e5d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48 RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040 R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098 R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000 remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46773", "url": "https://ubuntu.com/security/CVE-2024-46773", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check denominator pbn_div before used [WHAT & HOW] A denominator cannot be 0, and is checked before used. This fixes 1 DIVIDE_BY_ZERO issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-47667", "url": "https://ubuntu.com/security/CVE-2024-47667", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 (SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an inbound PCIe TLP spans more than two internal AXI 128-byte bursts, the bus may corrupt the packet payload and the corrupt data may cause associated applications or the processor to hang. The workaround for Errata #i2037 is to limit the maximum read request size and maximum payload size to 128 bytes. Add workaround for Errata #i2037 here. The errata and workaround is applicable only to AM65x SR 1.0 and later versions of the silicon will have this fixed. [1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46835", "url": "https://ubuntu.com/security/CVE-2024-46835", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46776", "url": "https://ubuntu.com/security/CVE-2024-46776", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Run DC_LOG_DC after checking link->link_enc [WHAT] The DC_LOG_DC should be run after link->link_enc is checked, not before. This fixes 1 REVERSE_INULL issue reported by Coverity.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46836", "url": "https://ubuntu.com/security/CVE-2024-46836", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that host may not manipulate the index to point past endpoint array. Found by static analysis.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46777", "url": "https://ubuntu.com/security/CVE-2024-46777", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46825", "url": "https://ubuntu.com/security/CVE-2024-46825", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() is normally called with input from the firmware, so it should use IWL_FW_CHECK() instead of WARN_ON().", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46826", "url": "https://ubuntu.com/security/CVE-2024-46826", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses \"randomize_va_space\" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46827", "url": "https://ubuntu.com/security/CVE-2024-46827", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an association request containing an Extended HE Capabilities Information Element with an invalid MCS-NSS, it triggers a firmware crash. This issue arises when EHT-PHY capabilities shows support for a bandwidth and MCS-NSS set for that particular bandwidth is filled by zeros and due to this, driver obtains peer_nss as 0 and sending this value to firmware causes crash. Address this issue by implementing a validation step for the peer_nss value before passing it to the firmware. If the value is greater than zero, proceed with forwarding it to the firmware. However, if the value is invalid, reject the association request to prevent potential firmware crashes. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-47669", "url": "https://ubuntu.com/security/CVE-2024-47669", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 (\"nilfs2: separate wait function from nilfs_segctor_write\") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the \"sc_dirty_files\" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared.", "cve_priority": "medium", "cve_public_date": "2024-10-09 15:15:00 UTC" }, { "cve": "CVE-2024-46780", "url": "https://ubuntu.com/security/CVE-2024-46780", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: protect references to superblock parameters exposed in sysfs The superblock buffers of nilfs2 can not only be overwritten at runtime for modifications/repairs, but they are also regularly swapped, replaced during resizing, and even abandoned when degrading to one side due to backing device issues. So, accessing them requires mutual exclusion using the reader/writer semaphore \"nilfs->ns_sem\". Some sysfs attribute show methods read this superblock buffer without the necessary mutual exclusion, which can cause problems with pointer dereferencing and memory access, so fix it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46781", "url": "https://ubuntu.com/security/CVE-2024-46781", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix missing cleanup on rollforward recovery error In an error injection test of a routine for mount-time recovery, KASAN found a use-after-free bug. It turned out that if data recovery was performed using partial logs created by dsync writes, but an error occurred before starting the log writer to create a recovered checkpoint, the inodes whose data had been recovered were left in the ns_dirty_files list of the nilfs object and were not freed. Fix this issue by cleaning up inodes that have read the recovery data if the recovery routine fails midway before the log writer starts.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46828", "url": "https://ubuntu.com/security/CVE-2024-46828", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46782", "url": "https://ubuntu.com/security/CVE-2024-46782", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ila: call nf_unregister_net_hooks() sooner syzbot found an use-after-free Read in ila_nf_input [1] Issue here is that ila_xlat_exit_net() frees the rhashtable, then call nf_unregister_net_hooks(). It should be done in the reverse way, with a synchronize_rcu(). This is a good match for a pre_exit() method. [1] BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: use-after-free in __rhashtable_lookup include/linux/rhashtable.h:604 [inline] BUG: KASAN: use-after-free in rhashtable_lookup include/linux/rhashtable.h:646 [inline] BUG: KASAN: use-after-free in rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 Read of size 4 at addr ffff888064620008 by task ksoftirqd/0/16 CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.11.0-rc4-syzkaller-00238-g2ad6d23f465a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 rht_key_hashfn include/linux/rhashtable.h:159 [inline] __rhashtable_lookup include/linux/rhashtable.h:604 [inline] rhashtable_lookup include/linux/rhashtable.h:646 [inline] rhashtable_lookup_fast+0x77a/0x9b0 include/linux/rhashtable.h:672 ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline] ila_xlat_addr net/ipv6/ila/ila_xlat.c:652 [inline] ila_nf_input+0x1fe/0x3c0 net/ipv6/ila/ila_xlat.c:190 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK+0x29e/0x450 include/linux/netfilter.h:312 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1ea/0x650 net/core/dev.c:5775 process_backlog+0x662/0x15b0 net/core/dev.c:6108 __napi_poll+0xcb/0x490 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0x89b/0x1240 net/core/dev.c:6963 handle_softirqs+0x2c4/0x970 kernel/softirq.c:554 run_ksoftirqd+0xca/0x130 kernel/softirq.c:928 smpboot_thread_fn+0x544/0xa30 kernel/smpboot.c:164 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x64620 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xbfffffff(buddy) raw: 00fff00000000000 ffffea0000959608 ffffea00019d9408 0000000000000000 raw: 0000000000000000 0000000000000003 00000000bfffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 5242, tgid 5242 (syz-executor), ts 73611328570, free_ts 618981657187 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] ___kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4103 __kmalloc_large_node_noprof+0x1a/0x80 mm/slub.c:4130 __do_kmalloc_node mm/slub.c:4146 [inline] __kmalloc_node_noprof+0x2d2/0x440 mm/slub.c:4164 __kvmalloc_node_noprof+0x72/0x190 mm/util.c:650 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x534/0xa60 lib/rhashtable.c:1071 ila_xlat_init_net+0xa0/0x110 net/ipv6/ila/ila_xlat.c:613 ops_ini ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46783", "url": "https://ubuntu.com/security/CVE-2024-46783", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers the flushing will result in sending a sk_msg larger than the current message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes negative at least in the following case: 468 case __SK_DROP: 469 default: 470 sk_msg_free_partial(sk, msg, tosend); 471 sk_msg_apply_bytes(psock, tosend); 472 *copied -= (tosend + delta); // <==== HERE 473 return -EACCES; Therefore, it could lead to the following BUG with a proper value of 'copied' (thanks to syzbot). We should not use negative 'copied' as a return value here. ------------[ cut here ]------------ kernel BUG at net/socket.c:733! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0 Hardware name: linux,dummy-virt (DT) pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) pc : sock_sendmsg_nosec net/socket.c:733 [inline] pc : sock_sendmsg_nosec net/socket.c:728 [inline] pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745 lr : sock_sendmsg_nosec net/socket.c:730 [inline] lr : __sock_sendmsg+0x54/0x60 net/socket.c:745 sp : ffff800088ea3b30 x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000 x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000 x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90 x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001 x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0 x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000 x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef Call trace: sock_sendmsg_nosec net/socket.c:733 [inline] __sock_sendmsg+0x5c/0x60 net/socket.c:745 ____sys_sendmsg+0x274/0x2ac net/socket.c:2597 ___sys_sendmsg+0xac/0x100 net/socket.c:2651 __sys_sendmsg+0x84/0xe0 net/socket.c:2680 __do_sys_sendmsg net/socket.c:2689 [inline] __se_sys_sendmsg net/socket.c:2687 [inline] __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151 el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598 Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000) ---[ end trace 0000000000000000 ]---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46784", "url": "https://ubuntu.com/security/CVE-2024-46784", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46785", "url": "https://ubuntu.com/security/CVE-2024-46785", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: eventfs: Use list_del_rcu() for SRCU protected list variable Chi Zhiling reported: We found a null pointer accessing in tracefs[1], the reason is that the variable 'ei_child' is set to LIST_POISON1, that means the list was removed in eventfs_remove_rec. so when access the ei_child->is_freed, the panic triggered. by the way, the following script can reproduce this panic loop1 (){ while true do echo \"p:kp submit_bio\" > /sys/kernel/debug/tracing/kprobe_events echo \"\" > /sys/kernel/debug/tracing/kprobe_events done } loop2 (){ while true do tree /sys/kernel/debug/tracing/events/kprobes/ done } loop1 & loop2 [1]: [ 1147.959632][T17331] Unable to handle kernel paging request at virtual address dead000000000150 [ 1147.968239][T17331] Mem abort info: [ 1147.971739][T17331] ESR = 0x0000000096000004 [ 1147.976172][T17331] EC = 0x25: DABT (current EL), IL = 32 bits [ 1147.982171][T17331] SET = 0, FnV = 0 [ 1147.985906][T17331] EA = 0, S1PTW = 0 [ 1147.989734][T17331] FSC = 0x04: level 0 translation fault [ 1147.995292][T17331] Data abort info: [ 1147.998858][T17331] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1148.005023][T17331] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1148.010759][T17331] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1148.016752][T17331] [dead000000000150] address between user and kernel address ranges [ 1148.024571][T17331] Internal error: Oops: 0000000096000004 [#1] SMP [ 1148.030825][T17331] Modules linked in: team_mode_loadbalance team nlmon act_gact cls_flower sch_ingress bonding tls macvlan dummy ib_core bridge stp llc veth amdgpu amdxcp mfd_core gpu_sched drm_exec drm_buddy radeon crct10dif_ce video drm_suballoc_helper ghash_ce drm_ttm_helper sha2_ce ttm sha256_arm64 i2c_algo_bit sha1_ce sbsa_gwdt cp210x drm_display_helper cec sr_mod cdrom drm_kms_helper binfmt_misc sg loop fuse drm dm_mod nfnetlink ip_tables autofs4 [last unloaded: tls] [ 1148.072808][T17331] CPU: 3 PID: 17331 Comm: ls Tainted: G W ------- ---- 6.6.43 #2 [ 1148.081751][T17331] Source Version: 21b3b386e948bedd29369af66f3e98ab01b1c650 [ 1148.088783][T17331] Hardware name: Greatwall GW-001M1A-FTF/GW-001M1A-FTF, BIOS KunLun BIOS V4.0 07/16/2020 [ 1148.098419][T17331] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1148.106060][T17331] pc : eventfs_iterate+0x2c0/0x398 [ 1148.111017][T17331] lr : eventfs_iterate+0x2fc/0x398 [ 1148.115969][T17331] sp : ffff80008d56bbd0 [ 1148.119964][T17331] x29: ffff80008d56bbf0 x28: ffff001ff5be2600 x27: 0000000000000000 [ 1148.127781][T17331] x26: ffff001ff52ca4e0 x25: 0000000000009977 x24: dead000000000100 [ 1148.135598][T17331] x23: 0000000000000000 x22: 000000000000000b x21: ffff800082645f10 [ 1148.143415][T17331] x20: ffff001fddf87c70 x19: ffff80008d56bc90 x18: 0000000000000000 [ 1148.151231][T17331] x17: 0000000000000000 x16: 0000000000000000 x15: ffff001ff52ca4e0 [ 1148.159048][T17331] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 1148.166864][T17331] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff8000804391d0 [ 1148.174680][T17331] x8 : 0000000180000000 x7 : 0000000000000018 x6 : 0000aaab04b92862 [ 1148.182498][T17331] x5 : 0000aaab04b92862 x4 : 0000000080000000 x3 : 0000000000000068 [ 1148.190314][T17331] x2 : 000000000000000f x1 : 0000000000007ea8 x0 : 0000000000000001 [ 1148.198131][T17331] Call trace: [ 1148.201259][T17331] eventfs_iterate+0x2c0/0x398 [ 1148.205864][T17331] iterate_dir+0x98/0x188 [ 1148.210036][T17331] __arm64_sys_getdents64+0x78/0x160 [ 1148.215161][T17331] invoke_syscall+0x78/0x108 [ 1148.219593][T17331] el0_svc_common.constprop.0+0x48/0xf0 [ 1148.224977][T17331] do_el0_svc+0x24/0x38 [ 1148.228974][T17331] el0_svc+0x40/0x168 [ 1148.232798][T17 ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46786", "url": "https://ubuntu.com/security/CVE-2024-46786", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF The fscache_cookie_lru_timer is initialized when the fscache module is inserted, but is not deleted when the fscache module is removed. If timer_reduce() is called before removing the fscache module, the fscache_cookie_lru_timer will be added to the timer list of the current cpu. Afterwards, a use-after-free will be triggered in the softIRQ after removing the fscache module, as follows: ================================================================== BUG: unable to handle page fault for address: fffffbfff803c9e9 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 21ffea067 P4D 21ffea067 PUD 21ffe6067 PMD 110a7c067 PTE 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G W 6.11.0-rc3 #855 Tainted: [W]=WARN RIP: 0010:__run_timer_base.part.0+0x254/0x8a0 Call Trace: tmigr_handle_remote_up+0x627/0x810 __walk_groups.isra.0+0x47/0x140 tmigr_handle_remote+0x1fa/0x2f0 handle_softirqs+0x180/0x590 irq_exit_rcu+0x84/0xb0 sysvec_apic_timer_interrupt+0x6e/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 RIP: 0010:default_idle+0xf/0x20 default_idle_call+0x38/0x60 do_idle+0x2b5/0x300 cpu_startup_entry+0x54/0x60 start_secondary+0x20d/0x280 common_startup_64+0x13e/0x148 Modules linked in: [last unloaded: netfs] ================================================================== Therefore delete fscache_cookie_lru_timer when removing the fscahe module.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46787", "url": "https://ubuntu.com/security/CVE-2024-46787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix checks for huge PMDs Patch series \"userfaultfd: fix races around pmd_trans_huge() check\", v2. The pmd_trans_huge() code in mfill_atomic() is wrong in three different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. As pointed out by Qi Zheng, pmd_trans_huge() is not sufficient for detecting PMDs that don't point to page tables. On older kernels (before 6.5), you'd just have to win a single fairly wide race to hit this. I've tested this on 6.1 stable by racing migration (with a mdelay() patched into try_to_migrate()) against UFFDIO_ZEROPAGE - on my x86 VM, that causes a kernel oops in ptlock_ptr(). 3. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these (one fix for bugs 1+2, one fix for bug 3), so that the first fix can be backported to kernels affected by bugs 1+2. This patch (of 2): This fixes two issues. I discovered that the following race can occur: mfill_atomic other thread ============ ============ pmdp_get_lockless() [reads none pmd] __pte_alloc [no-op] BUG_ON(pmd_none(*dst_pmd)) I have experimentally verified this in a kernel with extra mdelay() calls; the BUG_ON(pmd_none(*dst_pmd)) triggers. On kernels newer than commit 0d940a9b270b (\"mm/pgtable: allow pte_offset_map[_lock]() to fail\"), this can't lead to anything worse than a BUG_ON(), since the page table access helpers are actually designed to deal with page tables concurrently disappearing; but on older kernels (<=6.4), I think we could probably theoretically race past the two BUG_ON() checks and end up treating a hugepage as a page table. The second issue is that, as Qi Zheng pointed out, there are other types of huge PMDs that pmd_trans_huge() can't catch: devmap PMDs and swap PMDs (in particular, migration PMDs). On <=6.4, this is worse than the first issue: If mfill_atomic() runs on a PMD that contains a migration entry (which just requires winning a single, fairly wide race), it will pass the PMD to pte_offset_map_lock(), which assumes that the PMD points to a page table. Breakage follows: First, the kernel tries to take the PTE lock (which will crash or maybe worse if there is no \"struct page\" for the address bits in the migration entry PMD - I think at least on X86 there usually is no corresponding \"struct page\" thanks to the PTE inversion mitigation, amd64 looks different). If that didn't crash, the kernel would next try to write a PTE into what it wrongly thinks is a page table. As part of fixing these issues, get rid of the check for pmd_trans_huge() before __pte_alloc() - that's redundant, we're going to have to check for that after the __pte_alloc() anyway. Backport note: pmdp_get_lockless() is pmd_read_atomic() in older kernels.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46838", "url": "https://ubuntu.com/security/CVE-2024-46838", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in file mappings without holding the mmap lock, these BUG_ON()s are wrong - get rid of them. We could also remove the preceding \"if (unlikely(...))\" block, but then we could reach pte_offset_map_lock() with transhuge pages not just for file mappings but also for anonymous mappings - which would probably be fine but I think is not necessarily expected.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46845", "url": "https://ubuntu.com/security/CVE-2024-46845", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise and timer latency. If the program using this is killed via a SIGTERM, the threads are shutdown one at a time and another tracing instance can start up resetting the threads before they are fully closed. That causes the hrtimer assigned to the kthread to be shutdown and freed twice when the dying thread finally closes the file descriptors, causing a use-after-free bug. Only cancel the hrtimer if the associated thread is still around. Also add the interface_lock around the resetting of the tlat_var->kthread. Note, this is just a quick fix that can be backported to stable. A real fix is to have a better synchronization between the shutdown of old threads and the starting of new ones.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46788", "url": "https://ubuntu.com/security/CVE-2024-46788", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Use a cpumask to know what threads are kthreads The start_kthread() and stop_thread() code was not always called with the interface_lock held. This means that the kthread variable could be unexpectedly changed causing the kthread_stop() to be called on it when it should not have been, leading to: while true; do rtla timerlat top -u -q & PID=$!; sleep 5; kill -INT $PID; sleep 0.001; kill -TERM $PID; wait $PID; done Causing the following OOPS: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 885 Comm: timerlatu/5 Not tainted 6.11.0-rc4-test-00002-gbc754cc76d1b-dirty #125 a533010b71dab205ad2f507188ce8c82203b0254 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:hrtimer_active+0x58/0x300 Code: 48 c1 ee 03 41 54 48 01 d1 48 01 d6 55 53 48 83 ec 20 80 39 00 0f 85 30 02 00 00 49 8b 6f 30 4c 8d 75 10 4c 89 f0 48 c1 e8 03 <0f> b6 3c 10 4c 89 f0 83 e0 07 83 c0 03 40 38 f8 7c 09 40 84 ff 0f RSP: 0018:ffff88811d97f940 EFLAGS: 00010202 RAX: 0000000000000002 RBX: ffff88823c6b5b28 RCX: ffffed10478d6b6b RDX: dffffc0000000000 RSI: ffffed10478d6b6c RDI: ffff88823c6b5b28 RBP: 0000000000000000 R08: ffff88823c6b5b58 R09: ffff88823c6b5b60 R10: ffff88811d97f957 R11: 0000000000000010 R12: 00000000000a801d R13: ffff88810d8b35d8 R14: 0000000000000010 R15: ffff88823c6b5b28 FS: 0000000000000000(0000) GS:ffff88823c680000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561858ad7258 CR3: 000000007729e001 CR4: 0000000000170ef0 Call Trace: ? die_addr+0x40/0xa0 ? exc_general_protection+0x154/0x230 ? asm_exc_general_protection+0x26/0x30 ? hrtimer_active+0x58/0x300 ? __pfx_mutex_lock+0x10/0x10 ? __pfx_locks_remove_file+0x10/0x10 hrtimer_cancel+0x15/0x40 timerlat_fd_release+0x8e/0x1f0 ? security_file_release+0x43/0x80 __fput+0x372/0xb10 task_work_run+0x11e/0x1f0 ? _raw_spin_lock+0x85/0xe0 ? __pfx_task_work_run+0x10/0x10 ? poison_slab_object+0x109/0x170 ? do_exit+0x7a0/0x24b0 do_exit+0x7bd/0x24b0 ? __pfx_migrate_enable+0x10/0x10 ? __pfx_do_exit+0x10/0x10 ? __pfx_read_tsc+0x10/0x10 ? ktime_get+0x64/0x140 ? _raw_spin_lock_irq+0x86/0xe0 do_group_exit+0xb0/0x220 get_signal+0x17ba/0x1b50 ? vfs_read+0x179/0xa40 ? timerlat_fd_read+0x30b/0x9d0 ? __pfx_get_signal+0x10/0x10 ? __pfx_timerlat_fd_read+0x10/0x10 arch_do_signal_or_restart+0x8c/0x570 ? __pfx_arch_do_signal_or_restart+0x10/0x10 ? vfs_read+0x179/0xa40 ? ksys_read+0xfe/0x1d0 ? __pfx_ksys_read+0x10/0x10 syscall_exit_to_user_mode+0xbc/0x130 do_syscall_64+0x74/0x110 ? __pfx___rseq_handle_notify_resume+0x10/0x10 ? __pfx_ksys_read+0x10/0x10 ? fpregs_restore_userregs+0xdb/0x1e0 ? fpregs_restore_userregs+0xdb/0x1e0 ? syscall_exit_to_user_mode+0x116/0x130 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 ? do_syscall_64+0x74/0x110 entry_SYSCALL_64_after_hwframe+0x71/0x79 RIP: 0033:0x7ff0070eca9c Code: Unable to access opcode bytes at 0x7ff0070eca72. RSP: 002b:00007ff006dff8c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007ff0070eca9c RDX: 0000000000000400 RSI: 00007ff006dff9a0 RDI: 0000000000000003 RBP: 00007ff006dffde0 R08: 0000000000000000 R09: 00007ff000000ba0 R10: 00007ff007004b08 R11: 0000000000000246 R12: 0000000000000003 R13: 00007ff006dff9a0 R14: 0000000000000007 R15: 0000000000000008 Modules linked in: snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hwdep snd_hda_core ---[ end trace 0000000000000000 ]--- This is because it would mistakenly call kthread_stop() on a user space thread making it \"exit\" before it actually exits. Since kthread ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46846", "url": "https://ubuntu.com/security/CVE-2024-46846", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 (\"spi: rockchip: Suspend and resume the bus during NOIRQ_SYSTEM_SLEEP_PM ops\") stopped respecting runtime PM status and simply disabled clocks unconditionally when suspending the system. This causes problems when the device is already runtime suspended when we go to sleep -- in which case we double-disable clocks and produce a WARNing. Switch back to pm_runtime_force_{suspend,resume}(), because that still seems like the right thing to do, and the aforementioned commit makes no explanation why it stopped using it. Also, refactor some of the resume() error handling, because it's not actually a good idea to re-disable clocks on failure.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46847", "url": "https://ubuntu.com/security/CVE-2024-46847", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 (\"mm: fix incorrect vbq reference in purge_fragmented_block\") extended the 'vmap_block' structure to contain a 'cpu' field which is set at allocation time to the id of the initialising CPU. When a new 'vmap_block' is being instantiated by new_vmap_block(), the partially initialised structure is added to the local 'vmap_block_queue' xarray before the 'cpu' field has been initialised. If another CPU is concurrently walking the xarray (e.g. via vm_unmap_aliases()), then it may perform an out-of-bounds access to the remote queue thanks to an uninitialised index. This has been observed as UBSAN errors in Android: | Internal error: UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP | | Call trace: | purge_fragmented_block+0x204/0x21c | _vm_unmap_aliases+0x170/0x378 | vm_unmap_aliases+0x1c/0x28 | change_memory_common+0x1dc/0x26c | set_memory_ro+0x18/0x24 | module_enable_ro+0x98/0x238 | do_init_module+0x1b0/0x310 Move the initialisation of 'vb->cpu' in new_vmap_block() ahead of the addition to the xarray.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46791", "url": "https://ubuntu.com/security/CVE-2024-46791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open The mcp251x_hw_wake() function is called with the mpc_lock mutex held and disables the interrupt handler so that no interrupts can be processed while waking the device. If an interrupt has already occurred then waiting for the interrupt handler to complete will deadlock because it will be trying to acquire the same mutex. CPU0 CPU1 ---- ---- mcp251x_open() mutex_lock(&priv->mcp_lock) request_threaded_irq() mcp251x_can_ist() mutex_lock(&priv->mcp_lock) mcp251x_hw_wake() disable_irq() <-- deadlock Use disable_irq_nosync() instead because the interrupt handler does everything while holding the mutex so it doesn't matter if it's still running.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46829", "url": "https://ubuntu.com/security/CVE-2024-46829", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In the good case it returns with the lock held and in the deadlock case it emits a warning and goes into an endless scheduling loop with the lock held, which triggers the 'scheduling in atomic' warning. Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning and dropping into the schedule for ever loop. [ tglx: Moved unlock before the WARN(), removed the pointless comment, \tmassaged changelog, added Fixes tag ]", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46848", "url": "https://ubuntu.com/security/CVE-2024-46848", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46794", "url": "https://ubuntu.com/security/CVE-2024-46794", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix data leak in mmio_read() The mmio_read() function makes a TDVMCALL to retrieve MMIO data for an address from the VMM. Sean noticed that mmio_read() unintentionally exposes the value of an initialized variable (val) on the stack to the VMM. This variable is only needed as an output value. It did not need to be passed to the VMM in the first place. Do not send the original value of *val to the VMM. [ dhansen: clarify what 'val' is used for. ]", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46795", "url": "https://ubuntu.com/security/CVE-2024-46795", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset the binding mark of a reused connection Steve French reported null pointer dereference error from sha256 lib. cifs.ko can send session setup requests on reused connection. If reused connection is used for binding session, conn->binding can still remain true and generate_preauth_hash() will not set sess->Preauth_HashValue and it will be NULL. It is used as a material to create an encryption key in ksmbd_gen_smb311_encryptionkey. ->Preauth_HashValue cause null pointer dereference error from crypto_shash_update(). BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 8 PID: 429254 Comm: kworker/8:39 Hardware name: LENOVO 20MAS08500/20MAS08500, BIOS N2CET69W (1.52 ) Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] RIP: 0010:lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? show_regs+0x6d/0x80 ? __die+0x24/0x80 ? page_fault_oops+0x99/0x1b0 ? do_user_addr_fault+0x2ee/0x6b0 ? exc_page_fault+0x83/0x1b0 ? asm_exc_page_fault+0x27/0x30 ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? lib_sha256_base_do_update.isra.0+0x11e/0x1d0 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] ? __pfx_sha256_transform_rorx+0x10/0x10 [sha256_ssse3] _sha256_update+0x77/0xa0 [sha256_ssse3] sha256_avx2_update+0x15/0x30 [sha256_ssse3] crypto_shash_update+0x1e/0x40 hmac_update+0x12/0x20 crypto_shash_update+0x1e/0x40 generate_key+0x234/0x380 [ksmbd] generate_smb3encryptionkey+0x40/0x1c0 [ksmbd] ksmbd_gen_smb311_encryptionkey+0x72/0xa0 [ksmbd] ntlm_authenticate.isra.0+0x423/0x5d0 [ksmbd] smb2_sess_setup+0x952/0xaa0 [ksmbd] __process_request+0xa3/0x1d0 [ksmbd] __handle_ksmbd_work+0x1c4/0x2f0 [ksmbd] handle_ksmbd_work+0x2d/0xa0 [ksmbd] process_one_work+0x16c/0x350 worker_thread+0x306/0x440 ? __pfx_worker_thread+0x10/0x10 kthread+0xef/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x44/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 ", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46797", "url": "https://ubuntu.com/security/CVE-2024-46797", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: powerpc/qspinlock: Fix deadlock in MCS queue If an interrupt occurs in queued_spin_lock_slowpath() after we increment qnodesp->count and before node->lock is initialized, another CPU might see stale lock values in get_tail_qnode(). If the stale lock value happens to match the lock on that CPU, then we write to the \"next\" pointer of the wrong qnode. This causes a deadlock as the former CPU, once it becomes the head of the MCS queue, will spin indefinitely until it's \"next\" pointer is set by its successor in the queue. Running stress-ng on a 16 core (16EC/16VP) shared LPAR, results in occasional lockups similar to the following: $ stress-ng --all 128 --vm-bytes 80% --aggressive \\ --maximize --oomable --verify --syslog \\ --metrics --times --timeout 5m watchdog: CPU 15 Hard LOCKUP ...... NIP [c0000000000b78f4] queued_spin_lock_slowpath+0x1184/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 Call Trace: 0xc000002cfffa3bf0 (unreliable) _raw_spin_lock+0x6c/0x90 raw_spin_rq_lock_nested.part.135+0x4c/0xd0 sched_ttwu_pending+0x60/0x1f0 __flush_smp_call_function_queue+0x1dc/0x670 smp_ipi_demux_relaxed+0xa4/0x100 xive_muxed_ipi_action+0x20/0x40 __handle_irq_event_percpu+0x80/0x240 handle_irq_event_percpu+0x2c/0x80 handle_percpu_irq+0x84/0xd0 generic_handle_irq+0x54/0x80 __do_irq+0xac/0x210 __do_IRQ+0x74/0xd0 0x0 do_IRQ+0x8c/0x170 hardware_interrupt_common_virt+0x29c/0x2a0 --- interrupt: 500 at queued_spin_lock_slowpath+0x4b8/0x1490 ...... NIP [c0000000000b6c28] queued_spin_lock_slowpath+0x4b8/0x1490 LR [c000000001037c5c] _raw_spin_lock+0x6c/0x90 --- interrupt: 500 0xc0000029c1a41d00 (unreliable) _raw_spin_lock+0x6c/0x90 futex_wake+0x100/0x260 do_futex+0x21c/0x2a0 sys_futex+0x98/0x270 system_call_exception+0x14c/0x2f0 system_call_vectored_common+0x15c/0x2ec The following code flow illustrates how the deadlock occurs. For the sake of brevity, assume that both locks (A and B) are contended and we call the queued_spin_lock_slowpath() function. CPU0 CPU1 ---- ---- spin_lock_irqsave(A) | spin_unlock_irqrestore(A) | spin_lock(B) | | | ? | id = qnodesp->count++; | (Note that nodes[0].lock == A) | | | ? | Interrupt | (happens before \"nodes[0].lock = B\") | | | ? | spin_lock_irqsave(A) | | | ? | id = qnodesp->count++ | nodes[1].lock = A | | | ? | Tail of MCS queue | | spin_lock_irqsave(A) ? | Head of MCS queue ? | CPU0 is previous tail ? | Spin indefinitely ? (until \"nodes[1].next != NULL\") prev = get_tail_qnode(A, CPU0) | ? prev == &qnodes[CPU0].nodes[0] (as qnodes ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46830", "url": "https://ubuntu.com/security/CVE-2024-46830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX reads guest memory. Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN via sync_regs(), which already holds SRCU. I.e. trying to precisely use kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause problems. Acquiring SRCU isn't all that expensive, so for simplicity, grab it unconditionally for KVM_SET_VCPU_EVENTS. ============================= WARNING: suspicious RCU usage 6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted ----------------------------- include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by repro/1071: #0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm] stack backtrace: CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Call Trace: dump_stack_lvl+0x7f/0x90 lockdep_rcu_suspicious+0x13f/0x1a0 kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm] kvm_vcpu_read_guest+0x3e/0x90 [kvm] nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel] load_vmcs12_host_state+0x432/0xb40 [kvm_intel] vmx_leave_nested+0x30/0x40 [kvm_intel] kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm] kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm] ? mark_held_locks+0x49/0x70 ? kvm_vcpu_ioctl+0x7d/0x970 [kvm] ? kvm_vcpu_ioctl+0x497/0x970 [kvm] kvm_vcpu_ioctl+0x497/0x970 [kvm] ? lock_acquire+0xba/0x2d0 ? find_held_lock+0x2b/0x80 ? do_user_addr_fault+0x40c/0x6f0 ? lock_release+0xb7/0x270 __x64_sys_ioctl+0x82/0xb0 do_syscall_64+0x6c/0x170 entry_SYSCALL_64_after_hwframe+0x4b/0x53 RIP: 0033:0x7ff11eb1b539 ", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46798", "url": "https://ubuntu.com/security/CVE-2024-46798", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, - CONFIG_KASAN=y - CONFIG_KASAN_GENERIC=y - CONFIG_KASAN_INLINE=y - CONFIG_KASAN_VMALLOC=y - CONFIG_FRAME_WARN=4096 kernel detects that snd_pcm_suspend_all() access a freed 'snd_soc_pcm_runtime' object when the system is suspended, which leads to a use-after-free bug: [ 52.047746] BUG: KASAN: use-after-free in snd_pcm_suspend_all+0x1a8/0x270 [ 52.047765] Read of size 1 at addr ffff0000b9434d50 by task systemd-sleep/2330 [ 52.047785] Call trace: [ 52.047787] dump_backtrace+0x0/0x3c0 [ 52.047794] show_stack+0x34/0x50 [ 52.047797] dump_stack_lvl+0x68/0x8c [ 52.047802] print_address_description.constprop.0+0x74/0x2c0 [ 52.047809] kasan_report+0x210/0x230 [ 52.047815] __asan_report_load1_noabort+0x3c/0x50 [ 52.047820] snd_pcm_suspend_all+0x1a8/0x270 [ 52.047824] snd_soc_suspend+0x19c/0x4e0 The snd_pcm_sync_stop() has a NULL check on 'substream->runtime' before making any access. So we need to always set 'substream->runtime' to NULL everytime we kfree() it.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46831", "url": "https://ubuntu.com/security/CVE-2024-46831", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checking the return code of vcap_del_rule.", "cve_priority": "medium", "cve_public_date": "2024-09-27 13:15:00 UTC" }, { "cve": "CVE-2024-46747", "url": "https://ubuntu.com/security/CVE-2024-46747", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup report_fixup for the Cougar 500k Gaming Keyboard was not verifying that the report descriptor size was correct before accessing it", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46725", "url": "https://ubuntu.com/security/CVE-2024-46725", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds write warning Check the ring type value to fix the out-of-bounds write warning", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46724", "url": "https://ubuntu.com/security/CVE-2024-46724", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number Check the fb_channel_number range to avoid the array out-of-bounds read error", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46723", "url": "https://ubuntu.com/security/CVE-2024-46723", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix ucode out-of-bounds read warning Clear warning that read ucode[] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-46743", "url": "https://ubuntu.com/security/CVE-2024-46743", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk When of_irq_parse_raw() is invoked with a device address smaller than the interrupt parent node (from #address-cells property), KASAN detects the following out-of-bounds read when populating the initial match table (dyndbg=\"func of_irq_parse_* +p\"): OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0 OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2 OF: intspec=4 OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2 OF: -> addrsize=3 ================================================================== BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0 Read of size 4 at addr ffffff81beca5608 by task bash/764 CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1 Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023 Call trace: dump_backtrace+0xdc/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0x6c/0x84 print_report+0x150/0x448 kasan_report+0x98/0x140 __asan_load4+0x78/0xa0 of_irq_parse_raw+0x2b8/0x8d0 of_irq_parse_one+0x24c/0x270 parse_interrupts+0xc0/0x120 of_fwnode_add_links+0x100/0x2d0 fw_devlink_parse_fwtree+0x64/0xc0 device_add+0xb38/0xc30 of_device_add+0x64/0x90 of_platform_device_create_pdata+0xd0/0x170 of_platform_bus_create+0x244/0x600 of_platform_notify+0x1b0/0x254 blocking_notifier_call_chain+0x9c/0xd0 __of_changeset_entry_notify+0x1b8/0x230 __of_changeset_apply_notify+0x54/0xe4 of_overlay_fdt_apply+0xc04/0xd94 ... The buggy address belongs to the object at ffffff81beca5600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 8 bytes inside of 128-byte region [ffffff81beca5600, ffffff81beca5680) The buggy address belongs to the physical page: page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4 head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x8000000000010200(slab|head|zone=2) raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ================================================================== OF: -> got it ! Prevent the out-of-bounds read by copying the device address into a buffer of sufficient size.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46757", "url": "https://ubuntu.com/security/CVE-2024-46757", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775-core) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46759", "url": "https://ubuntu.com/security/CVE-2024-46759", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (adc128d818) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46758", "url": "https://ubuntu.com/security/CVE-2024-46758", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (lm95234) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46756", "url": "https://ubuntu.com/security/CVE-2024-46756", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large negative number such as -9223372036854775808 is provided by the user. Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46738", "url": "https://ubuntu.com/security/CVE-2024-46738", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() When removing a resource from vmci_resource_table in vmci_resource_remove(), the search is performed using the resource handle by comparing context and resource fields. It is possible though to create two resources with different types but same handle (same context and resource fields). When trying to remove one of the resources, vmci_resource_remove() may not remove the intended one, but the object will still be freed as in the case of the datagram type in vmci_datagram_destroy_handle(). vmci_resource_table will still hold a pointer to this freed resource leading to a use-after-free vulnerability. BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106 print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239 __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425 kasan_report+0x38/0x51 mm/kasan/report.c:442 vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline] vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147 vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182 ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444 kref_put include/linux/kref.h:65 [inline] vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline] vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195 vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143 __fput+0x261/0xa34 fs/file_table.c:282 task_work_run+0xf0/0x194 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187 exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220 __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline] syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313 do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6e/0x0 This change ensures the type is also checked when removing the resource from vmci_resource_table in vmci_resource_remove().", "cve_priority": "medium", "cve_public_date": "2024-09-18 08:15:00 UTC" }, { "cve": "CVE-2024-46722", "url": "https://ubuntu.com/security/CVE-2024-46722", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix mc_data out-of-bounds read warning Clear warning that read mc_data[i-1] may out-of-bounds.", "cve_priority": "medium", "cve_public_date": "2024-09-18 07:15:00 UTC" }, { "cve": "CVE-2024-42284", "url": "https://ubuntu.com/security/CVE-2024-42284", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tipc: Return non-zero value from tipc_udp_addr2str() on error tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address.", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44987", "url": "https://ubuntu.com/security/CVE-2024-44987", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() syzbot reported an UAF in ip6_send_skb() [1] After ip6_local_out() has returned, we no longer can safely dereference rt, unless we hold rcu_read_lock(). A similar issue has been fixed in commit a688caa34beb (\"ipv6: take rcu lock in rawv6_send_hdrinc()\") Another potential issue in ip6_finish_output2() is handled in a separate patch. [1] BUG: KASAN: slab-use-after-free in ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 Read of size 8 at addr ffff88806dde4858 by task syz.1.380/6530 CPU: 1 UID: 0 PID: 6530 Comm: syz.1.380 Not tainted 6.11.0-rc3-syzkaller-00306-gdf6cbc62cc9b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ip6_send_skb+0x18d/0x230 net/ipv6/ip6_output.c:1964 rawv6_push_pending_frames+0x75c/0x9e0 net/ipv6/raw.c:588 rawv6_sendmsg+0x19c7/0x23c0 net/ipv6/raw.c:926 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 do_iter_readv_writev+0x60a/0x890 vfs_writev+0x37c/0xbb0 fs/read_write.c:971 do_writev+0x1b1/0x350 fs/read_write.c:1018 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f936bf79e79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f936cd7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007f936c115f80 RCX: 00007f936bf79e79 RDX: 0000000000000001 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f936bfe7916 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f936c115f80 R15: 00007fff2860a7a8 Allocated by task 6530: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4044 dst_alloc+0x12b/0x190 net/core/dst.c:89 ip6_blackhole_route+0x59/0x340 net/ipv6/route.c:2670 make_blackhole net/xfrm/xfrm_policy.c:3120 [inline] xfrm_lookup_route+0xd1/0x1c0 net/xfrm/xfrm_policy.c:3313 ip6_dst_lookup_flow+0x13e/0x180 net/ipv6/ip6_output.c:1257 rawv6_sendmsg+0x1283/0x23c0 net/ipv6/raw.c:898 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 45: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 dst_destroy+0x2ac/0x460 net/core/dst.c:124 rcu_do_batch kernel/rcu/tree.c:2569 [inline] rcu_core+0xafd/0x1830 kernel/rcu/tree. ---truncated---", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" }, { "cve": "CVE-2024-42301", "url": "https://ubuntu.com/security/CVE-2024-42301", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: dev/parport: fix the array out-of-bounds risk Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport]", "cve_priority": "medium", "cve_public_date": "2024-08-17 09:15:00 UTC" }, { "cve": "CVE-2024-44998", "url": "https://ubuntu.com/security/CVE-2024-44998", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: atm: idt77252: prevent use after free in dequeue_rx() We can't dereference \"skb\" after calling vcc->push() because the skb is released.", "cve_priority": "medium", "cve_public_date": "2024-09-04 20:15:00 UTC" } ], "log": [ "", " * noble/linux-riscv: 6.8.0-50.51.1 -proposed tracker (LP: #2086298)", "", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849)", " - Revert \"mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K\"", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync git-ubuntu-log", " - [Packaging] debian.riscv/dkms-versions -- update from kernel-versions", " (main/2024.10.28)", "", " [ Ubuntu: 6.8.0-50.51 ]", "", " * noble/linux: 6.8.0-50.51 -proposed tracker (LP: #2086301)", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.10.28)", " * Noble update: upstream stable patchset 2024-10-31 (LP: #2086138)", " - device property: Add cleanup.h based fwnode_handle_put() scope based", " cleanup.", " - device property: Introduce device_for_each_child_node_scoped()", " - iio: adc: ad7124: Switch from of specific to fwnode based property handling", " - ksmbd: override fsids for share path check", " - ksmbd: override fsids for smb2_query_info()", " - usbnet: ipheth: remove extraneous rx URB length check", " - usbnet: ipheth: drop RX URBs with no payload", " - usbnet: ipheth: do not stop RX on failing RX callback", " - usbnet: ipheth: fix carrier detection in modes 1 and 4", " - net: ethernet: use ip_hdrlen() instead of bit shift", " - drm: panel-orientation-quirks: Add quirk for Ayn Loki Zero", " - drm: panel-orientation-quirks: Add quirk for Ayn Loki Max", " - net: phy: vitesse: repair vsc73xx autonegotiation", " - powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL", " - wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change", " - net: hns3: use correct release function during uninitialization", " - btrfs: update target inode's ctime on unlink", " - Input: ads7846 - ratelimit the spi_sync error message", " - Input: synaptics - enable SMBus for HP Elitebook 840 G2", " - HID: multitouch: Add support for GT7868Q", " - scripts: kconfig: merge_config: config files: add a trailing newline", " - platform/surface: aggregator_registry: Add Support for Surface Pro 10", " - platform/surface: aggregator_registry: Add support for Surface Laptop Go 3", " - drm/msm/adreno: Fix error return if missing firmware-name", " - Input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table", " - smb/server: fix return value of smb2_open()", " - NFSv4: Fix clearing of layout segments in layoutreturn", " - NFS: Avoid unnecessary rescanning of the per-server delegation list", " - platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses", " - platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array", " - mptcp: pm: Fix uaf in __timer_delete_sync", " - arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on", " RK3399 Puma", " - arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399", " Puma", " - minmax: reduce min/max macro expansion in atomisp driver", " - net: tighten bad gso csum offset check in virtio_net_hdr", " - dm-integrity: fix a race condition when accessing recalc_sector", " - x86/hyperv: fix kexec crash due to VP assist page corruption", " - mm: avoid leaving partial pfn mappings around in error case", " - arm64: dts: rockchip: fix PMIC interrupt pin in pinctrl for ROCK Pi E", " - drm/amd/display: Disable error correction if it's not supported", " - drm/amd/display: Fix FEC_READY write on DP LT", " - eeprom: digsy_mtc: Fix 93xx46 driver probe failure", " - cxl/core: Fix incorrect vendor debug UUID define", " - selftests/bpf: Support SOCK_STREAM in unix_inet_redir_to_connected()", " - hwmon: (pmbus) Conditionally clear individual status bits for pmbus rev >=", " 1.2", " - ice: Fix lldp packets dropping after changing the number of channels", " - ice: fix accounting for filters shared by multiple VSIs", " - ice: fix VSI lists confusion when adding VLANs", " - igb: Always call igb_xdp_ring_update_tail() under Tx lock", " - net/mlx5: Update the list of the PCI supported devices", " - net/mlx5e: Add missing link modes to ptys2ethtool_map", " - net/mlx5e: Add missing link mode to ptys2ext_ethtool_map", " - net/mlx5: Explicitly set scheduling element and TSAR type", " - net/mlx5: Add missing masks and QoS bit masks for scheduling elements", " - net/mlx5: Correct TASR typo into TSAR", " - net/mlx5: Verify support for scheduling element and TSAR type", " - net/mlx5: Fix bridge mode operations when there are no VFs", " - fou: fix initialization of grc", " - octeontx2-af: Modify SMQ flush sequence to drop packets", " - net: ftgmac100: Enable TX interrupt to avoid TX timeout", " - selftests: net: csum: Fix checksums for packets with non-zero padding", " - netfilter: nft_socket: fix sk refcount leaks", " - net: dsa: felix: ignore pending status of TAS module when it's disabled", " - net: dpaa: Pad packets to ETH_ZLEN", " - tracing/osnoise: Fix build when timerlat is not enabled", " - spi: nxp-fspi: fix the KASAN report out-of-bounds bug", " - drm/syncobj: Fix syncobj leak in drm_syncobj_eventfd_ioctl", " - dma-buf: heaps: Fix off-by-one in CMA heap fault handler", " - drm/nouveau/fb: restore init() for ramgp102", " - drm/amdgpu/atomfirmware: Silence UBSAN warning", " - drm/amd/amdgpu: apply command submission parser for JPEG v1", " - spi: geni-qcom: Undo runtime PM changes at driver exit time", " - spi: geni-qcom: Fix incorrect free_irq() sequence", " - drm/i915/guc: prevent a possible int overflow in wq offsets", " - ASoC: codecs: avoid possible garbage value in peb2466_reg_read()", " - cifs: Fix signature miscalculation", " - pinctrl: meteorlake: Add Arrow Lake-H/U ACPI ID", " - ASoC: meson: axg-card: fix 'use-after-free'", " - drm/mediatek: Set sensible cursor width/height values to fix crash", " - Input: edt-ft5x06 - add support for FocalTech FT5452 and FT8719", " - Input: edt-ft5x06 - add support for FocalTech FT8201", " - cgroup/cpuset: Eliminate unncessary sched domains rebuilds in hotplug", " - spi: zynqmp-gqspi: Scale timeout by data size", " - drm/xe: use devm instead of drmm for managed bo", " - net: libwx: fix number of Rx and Tx descriptors", " - clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor", " - bcachefs: Fix bch2_extents_match() false positive", " - bcachefs: Don't delete open files in online fsck", " - firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire()", " - riscv: dts: starfive: jh7110-common: Fix lower rate of CPUfreq by setting", " PLL0 rate to 1.5GHz", " - cxl: Restore XOR'd position bits during address translation", " - netlink: specs: mptcp: fix port endianness", " - drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct()", " - drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct()", " - drm/amd/amdgpu: apply command submission parser for JPEG v2+", " - drm/xe/client: fix deadlock in show_meminfo()", " - drm/xe/client: remove bogus rcu list usage", " - drm/xe/client: add missing bo locking in show_meminfo()", " - tracing/kprobes: Fix build error when find_module() is not available", " - drm/xe/display: fix compat IS_DISPLAY_STEP() range end", " - Upstream stable to v6.6.52, v6.10.11", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849)", " - KVM: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE", " - KVM: SVM: Don't advertise Bus Lock Detect to guest if SVM support is missing", " - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius", " devices", " - ALSA: hda/realtek: add patch for internal mic in Lenovo V145", " - ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx", " - ksmbd: Unlock on in ksmbd_tcp_set_interfaces()", " - ata: libata: Fix memory leak for error path in ata_host_alloc()", " - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()", " - x86/kaslr: Expose and use the end of the physical memory address space", " - nvme-pci: Add sleep quirk for Samsung 990 Evo", " - rust: types: Make Opaque::get const", " - rust: macros: provide correct provenance when constructing THIS_MODULE", " - Revert \"Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE\"", " - Bluetooth: MGMT: Ignore keys being loaded with invalid type", " - mmc: core: apply SD quirks earlier during probe", " - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K", " - mmc: sdhci-of-aspeed: fix module autoloading", " - mmc: cqhci: Fix checking of CQHCI_HALT state", " - fuse: update stats for pages in dropped aux writeback list", " - fuse: use unsigned type for getxattr/listxattr size truncation", " - fuse: fix memory leak in fuse_create_open", " - clk: starfive: jh7110-sys: Add notifier for PLL0 clock", " - clk: qcom: clk-alpha-pll: Fix the pll post div mask", " - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API", " - kexec_file: fix elfcorehdr digest exclusion when CONFIG_CRASH_HOTPLUG=y", " - tracing: Avoid possible softlockup in tracing_iter_reset()", " - tracing/timerlat: Add interface_lock around clearing of kthread in", " stop_kthread()", " - net: mctp-serial: Fix missing escapes on transmit", " - x86/fpu: Avoid writing LBR bit to IA32_XSS unless supported", " - x86/apic: Make x2apic_disable() work correctly", " - drm/i915: Do not attempt to load the GSC multiple times", " - ALSA: control: Apply sanity check of input values for user elements", " - ALSA: hda: Add input value sanity checks to HDMI channel map controls", " - wifi: ath12k: fix uninitialize symbol error on ath12k_peer_assoc_h_he()", " - smack: unix sockets: fix accept()ed socket label", " - bpf, verifier: Correct tail_call_reachable for bpf prog", " - accel/habanalabs/gaudi2: unsecure edma max outstanding register", " - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1", " - af_unix: Remove put_pid()/put_cred() in copy_peercred().", " - x86/kmsan: Fix hook for unaligned accesses", " - iommu: sun50i: clear bypass register", " - netfilter: nf_conncount: fix wrong variable type", " - fs/ntfs3: One more reason to mark inode bad", " - riscv: kprobes: Use patch_text_nosync() for insn slots", " - media: vivid: fix wrong sizeimage value for mplane", " - leds: spi-byte: Call of_node_put() on error path", " - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3", " - usb: uas: set host status byte on data completion error", " - drm/amd/display: Check HDCP returned status", " - drm/amdgpu: clear RB_OVERFLOW bit when enabling interrupts", " - media: vivid: don't set HDMI TX controls if there are no HDMI outputs", " - vfio/spapr: Always clear TCEs before unsetting the window", " - ice: Check all ice_vsi_rebuild() errors in function", " - Input: ili210x - use kvmalloc() to allocate buffer for firmware update", " - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse", " - pcmcia: Use resource_size function on resource object", " - drm/amdgpu: check for LINEAR_ALIGNED correctly in check_tiling_flags_gfx6", " - can: m_can: Release irq on error in m_can_open", " - can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD", " mode", " - rust: kbuild: fix export of bss symbols", " - cifs: Fix FALLOC_FL_ZERO_RANGE to preflush buffered part of target region", " - igb: Fix not clearing TimeSync interrupts for 82580", " - platform/x86: dell-smbios: Fix error path in dell_smbios_init()", " - regulator: core: Stub devm_regulator_bulk_get_const() if !CONFIG_REGULATOR", " - can: kvaser_pciefd: Skip redundant NULL pointer check in ISR", " - can: kvaser_pciefd: Remove unnecessary comment", " - can: kvaser_pciefd: Rename board_irq to pci_irq", " - can: kvaser_pciefd: Move reset of DMA RX buffers to the end of the ISR", " - can: kvaser_pciefd: Use a single write when releasing RX buffers", " - Bluetooth: qca: If memdump doesn't work, re-enable IBS", " - Bluetooth: hci_sync: Introduce hci_cmd_sync_run/hci_cmd_sync_run_once", " - Bluetooth: MGMT: Fix not generating command complete for MGMT_OP_DISCONNECT", " - igc: Unlock on error in igc_io_resume()", " - ice: do not bring the VSI up, if it was down before the XDP setup", " - usbnet: modern method to get random MAC", " - bpf, net: Fix a potential race in do_sock_getsockopt()", " - bareudp: Fix device stats updates.", " - r8152: fix the firmware doesn't work", " - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN", " - net: dsa: vsc73xx: fix possible subblocks range of CAPT block", " - selftests: net: enable bind tests", " - firmware: cs_dsp: Don't allow writes to read-only controls", " - phy: zynqmp: Take the phy mutex in xlate", " - ASoC: topology: Properly initialize soc_enum values", " - dm init: Handle minors larger than 255", " - iommu/vt-d: Handle volatile descriptor status read", " - cgroup: Protect css->cgroup write under css_set_lock", " - devres: Initialize an uninitialized struct member", " - virtio_ring: fix KMSAN error for premapped mode", " - crypto: qat - fix unintentional re-enabling of error interrupts", " - ASoc: TAS2781: replace beXX_to_cpup with get_unaligned_beXX for potentially", " broken alignment", " - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}", " - drm/amdgpu: Set no_hw_access when VF request full GPU fails", " - ext4: fix possible tid_t sequence overflows", " - jbd2: avoid mount failed when commit block is partial submitted", " - dma-mapping: benchmark: Don't starve others when doing the test", " - drm/amdgpu: reject gang submit on reserved VMIDs", " - smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()", " - fs/ntfs3: Check more cases when directory is corrupted", " - btrfs: replace BUG_ON with ASSERT in walk_down_proc()", " - cxl/region: Verify target positions using the ordered target list", " - riscv: set trap vector earlier", " - tcp: Don't drop SYN+ACK for simultaneous connect().", " - net: dpaa: avoid on-stack arrays of NR_CPUS elements", " - LoongArch: Use correct API to map cmdline in relocate_kernel()", " - regmap: maple: work around gcc-14.1 false-positive warning", " - vfs: Fix potential circular locking through setxattr() and removexattr()", " - i3c: master: svc: resend target address when get NACK", " - kselftests: dmabuf-heaps: Ensure the driver name is null-terminated", " - btrfs: initialize location to fix -Wmaybe-uninitialized in", " btrfs_lookup_dentry()", " - s390/vmlinux.lds.S: Move ro_after_init section behind rodata section", " - usbnet: ipheth: race between ipheth_close and error handling", " - spi: spi-fsl-lpspi: limit PRESCALE bit in TCR register", " - ata: pata_macio: Use WARN instead of BUG", " - NFSv4: Add missing rescheduling points in", " nfs_client_return_marked_delegations", " - ACPI: CPPC: Add helper to get the highest performance value", " - cpufreq: amd-pstate: Enable amd-pstate preferred core support", " - cpufreq: amd-pstate: fix the highest frequency issue which limits", " performance", " - tcp: process the 3rd ACK with sk_socket for TFO/MPTCP", " - iio: buffer-dmaengine: fix releasing dma channel on error", " - iio: fix scale application in iio_convert_raw_to_processed_unlocked", " - iio: adc: ad7124: fix config comparison", " - iio: adc: ad7606: remove frstdata check for serial mode", " - iio: adc: ad7124: fix chip ID mismatch", " - usb: dwc3: core: update LC timer as per USB Spec V3.2", " - usb: cdns2: Fix controller reset issue", " - usb: dwc3: Avoid waking up gadget during startxfer", " - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc", " - Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic", " - clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX", " - clocksource/drivers/imx-tpm: Fix next event not taking effect sometime", " - clocksource/drivers/timer-of: Remove percpu irq related code", " - uprobes: Use kzalloc to allocate xol area", " - Revert \"mm: skip CMA pages when they are not available\"", " - workqueue: wq_watchdog_touch is always called with valid CPU", " - workqueue: Improve scalability of workqueue watchdog touch", " - ACPI: processor: Return an error if acpi_processor_get_info() fails in", " processor_add()", " - ACPI: processor: Fix memory leaks in error paths of processor_add()", " - arm64: acpi: Move get_cpu_for_acpi_id() to a header", " - can: mcp251xfd: mcp251xfd_handle_rxif_ring_uinc(): factor out in separate", " function", " - can: mcp251xfd: rx: prepare to workaround broken RX FIFO head index erratum", " - can: mcp251xfd: clarify the meaning of timestamp", " - can: mcp251xfd: rx: add workaround for erratum DS80000789E 6 of mcp2518fd", " - drm/amd: Add gfx12 swizzle mode defs", " - drm/amdgpu: handle gfx12 in amdgpu_display_verify_sizes", " - ata: libata-scsi: Remove redundant sense_buffer memsets", " - ata: libata-scsi: Check ATA_QCFLAG_RTF_FILLED before using result_tf", " - crypto: starfive - Align rsa input data to 32-bit", " - crypto: starfive - Fix nent assignment in rsa dec", " - clk: qcom: ipq9574: Update the alpha PLL type for GPLLs", " - powerpc/64e: remove unused IBM HTW code", " - powerpc/64e: split out nohash Book3E 64-bit code", " - powerpc/64e: Define mmu_pte_psize static", " - powerpc/vdso: Don't discard rela sections", " - ASoC: tegra: Fix CBB error during probe()", " - nvme-pci: allocate tagset on reset if necessary", " - ASoc: SOF: topology: Clear SOF link platform name upon unload", " - ASoC: sunxi: sun4i-i2s: fix LRCLK polarity in i2s mode", " - clk: qcom: gcc-sm8550: Don't use parking clk_ops for QUPs", " - clk: qcom: gcc-sm8550: Don't park the USB RCG at registration time", " - drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused", " - drm/i915/fence: Mark debug_fence_free() with __maybe_unused", " - gpio: rockchip: fix OF node leak in probe()", " - gpio: modepin: Enable module autoloading", " - riscv: Fix toolchain vector detection", " - riscv: Do not restrict memory size because of linear mapping on nommu", " - membarrier: riscv: Add full memory barrier in switch_mm()", " - [Config] updateconfigs for ARCH_HAS_MEMBARRIER_CALLBACKS", " - x86/mm: Fix PTI for i386 some more", " - btrfs: fix race between direct IO write and fsync when using same fd", " - spi: spi-fsl-lpspi: Fix off-by-one in prescale max", " - ALSA: hda/realtek: Enable Mute Led for HP Victus 15-fb1xxx", " - ALSA: hda/realtek - Fix inactive headset mic jack for ASUS Vivobook 15", " X1504VAP", " - fuse: clear PG_uptodate when using a stolen page", " - riscv: misaligned: remove CONFIG_RISCV_M_MODE specific code", " - parisc: Delay write-protection until mark_rodata_ro() call", " - pinctrl: qcom: x1e80100: Bypass PDC wakeup parent for now", " - maple_tree: remove rcu_read_lock() from mt_validate()", " - Revert \"wifi: ath11k: restore country code during resume\"", " - btrfs: qgroup: don't use extent changeset when not needed", " - btrfs: zoned: handle broken write pointer on zones", " - drm/xe/gsc: Do not attempt to load the GSC multiple times", " - drm/amdgpu: always allocate cleared VRAM for GEM allocations", " - drm/amd/display: Lock DC and exit IPS when changing backlight", " - ALSA: hda/realtek: extend quirks for Clevo V5[46]0", " - cgroup/cpuset: Delay setting of CS_CPU_EXCLUSIVE until valid partition", " - virt: sev-guest: Mark driver struct with __refdata to prevent section", " mismatch", " - media: b2c2: flexcop-usb: fix flexcop_usb_memory_req", " - gve: Add adminq mutex lock", " - wifi: rtw89: wow: prevent to send unexpected H2C during download Firmware", " - drm/amdgpu: add missing error handling in function", " amdgpu_gmc_flush_gpu_tlb_pasid", " - crypto: qat - initialize user_input.lock for rate_limiting", " - locking: Add rwsem_assert_held() and rwsem_assert_held_write()", " - fs: don't copy to userspace under namespace semaphore", " - fs: relax permissions for statmount()", " - seccomp: release task filters when the task exits", " - drm/amdgpu/display: handle gfx12 in amdgpu_dm_plane_format_mod_supported", " - can: m_can: Remove m_can_rx_peripheral indirection", " - can: m_can: Do not cancel timer from within timer", " - mm: Provide a means of invalidation without using launder_folio", " - cifs: Fix copy offload to flush destination region", " - hwmon: ltc2991: fix register bits defines", " - scripts: fix gfp-translate after ___GFP_*_BITS conversion to an enum", " - ptp: ocp: convert serial ports to array", " - ptp: ocp: adjust sysfs entries to expose tty information", " - ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset", " - ice: remove ICE_CFG_BUSY locking from AF_XDP code", " - net: xilinx: axienet: Fix race in axienet_stop", " - iommu/vt-d: Remove control over Execute-Requested requests", " - block: don't call bio_uninit from bio_endio", " - tracing/kprobes: Add symbol counting check when module loads", " - perf/x86/intel: Hide Topdown metrics events if the feature is not enumerated", " - PCI: qcom: Override NO_SNOOP attribute for SA8775P RC", " - staging: vchiq_core: Bubble up wait_event_interruptible() return value", " - watchdog: imx7ulp_wdt: keep already running watchdog enabled", " - btrfs: slightly loosen the requirement for qgroup removal", " - drm/amdgpu: add PSP RAS address query command", " - drm/amdgpu: add mutex to protect ras shared memory", " - s390/boot: Do not assume the decompressor range is reserved", " - drm/amdgpu: Fix two reset triggered in a row", " - drm/amdgpu: Add reset_context flag for host FLR", " - drm/amdgpu: Fix amdgpu_device_reset_sriov retry logic", " - fs: only copy to userspace on success in listmount()", " - iio: adc: ad7124: fix DT configuration parsing", " - nvmem: u-boot-env: error if NVMEM device is too small", " - mm: zswap: rename is_zswap_enabled() to zswap_is_enabled()", " - mm/memcontrol: respect zswap.writeback setting from parent cg too", " - path: add cleanup helper", " - fs: simplify error handling", " - fs: relax permissions for listmount()", " - hid: bpf: add BPF_JIT dependency", " - net/mlx5e: SHAMPO, Use KSMs instead of KLMs", " - net/mlx5e: SHAMPO, Fix page leak", " - drm/xe/xe2: Add workaround 14021402888", " - drm/xe/xe2lpg: Extend workaround 14021402888", " - clk: qcom: gcc-x1e80100: Fix USB 0 and 1 PHY GDSC pwrsts flags", " - clk: qcom: gcc-x1e80100: Don't use parking clk_ops for QUPs", " - nouveau: fix the fwsec sb verification register.", " - riscv: Add tracepoints for SBI calls and returns", " - riscv: Improve sbi_ecall() code generation by reordering arguments", " - riscv: Fix RISCV_ALTERNATIVE_EARLY", " - cifs: Fix zero_point init on inode initialisation", " - nvme: rename nvme_sc_to_pr_err to nvme_status_to_pr_err", " - nvme: fix status magic numbers", " - nvme: rename CDR/MORE/DNR to NVME_STATUS_*", " - nvmet: Identify-Active Namespace ID List command should reject invalid nsid", " - drm/i915/display: Add mechanism to use sink model when applying quirk", " - drm/i915/display: Increase Fast Wake Sync length as a quirk", " - LoongArch: Use accessors to page table entries instead of direct dereference", " - Upstream stable to v6.6.51, v6.10.10", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46823", " - kunit/overflow: Fix UB in overflow_allocation_test", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46834", " - ethtool: fail closed if we can't get max channel used in indirection tables", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46751", " - btrfs: don't BUG_ON() when 0 reference count at btrfs_lookup_extent_info()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46753", " - btrfs: handle errors from btrfs_dec_ref() properly", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46841", " - btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in", " walk_down_proc()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46754", " - bpf: Remove tst_run from lwt_seg6local_prog_ops.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46824", " - iommufd: Require drivers to supply the cache_invalidate_user ops", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46842", " - scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46766", " - ice: move netif_queue_set_napi to rtnl-protected sections", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46772", " - drm/amd/display: Check denominator crb_pipes before used", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46774", " - powerpc/rtas: Prevent Spectre v1 gadget construction in sys_rtas()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46775", " - drm/amd/display: Validate function returns", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46778", " - drm/amd/display: Check UnboundedRequestEnabled's value", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46779", " - drm/imagination: Free pvr_vm_gpuva after unlink", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46792", " - riscv: misaligned: Restrict user access to kernel memory", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46793", " - ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46735", " - ublk_drv: fix NULL pointer dereference in ublk_ctrl_start_recovery()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46737", " - nvmet-tcp: fix kernel crash if commands allocation fails", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46822", " - arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46713", " - perf/aux: Fix AUX buffer serialization", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46739", " - uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46740", " - binder: fix UAF caused by offsets overwrite", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46741", " - misc: fastrpc: Fix double free of 'buf' in error path", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47663", " - staging: iio: frequency: ad9834: Validate frequency parameter value", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46832", " - MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47668", " - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46744", " - Squashfs: sanity check symbolic link size", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46745", " - Input: uinput - reject requests with unreasonable number of slots", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46746", " - HID: amd_sfh: free driver_data after destroying hid device", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47664", " - spi: hisi-kunpeng: Add verification for the max_frequency provided by the", " firmware", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47665", " - i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46749", " - Bluetooth: btnxpuart: Fix Null pointer dereference in btnxpuart_flush()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46750", " - PCI: Add missing bridge lock to pci_bus_lock()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46752", " - btrfs: replace BUG_ON() with error handling at update_ref_for_cow()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46840", " - btrfs: clean up our handling of refs == 0 in snapshot delete", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46755", " - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47666", " - scsi: pm80xx: Set phy->enable_completion only when we wait for it", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46843", " - scsi: ufs: core: Remove SCSI host only if added", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46760", " - wifi: rtw88: usb: schedule rx work after everything is set up", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46761", " - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46844", " - um: line: always fill *error_out in setup_one_line()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46762", " - xen: privcmd: Fix possible access to a freed kirqfd instance", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46763", " - fou: Fix null-ptr-deref in GRO.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46765", " - ice: protect XDP configuration with a mutex", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46767", " - net: phy: Fix missing of_node_put() for leds", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46768", " - hwmon: (hp-wmi-sensors) Check if WMI event data exists", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46770", " - ice: Add netif_device_attach/detach into PF reset flow", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46771", " - can: bcm: Remove proc entry when dev is unregistered.", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46773", " - drm/amd/display: Check denominator pbn_div before used", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47667", " - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46835", " - drm/amdgpu: Fix smatch static checker warning", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46776", " - drm/amd/display: Run DC_LOG_DC after checking link->link_enc", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46836", " - usb: gadget: aspeed_udc: validate endpoint index for ast udc", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46777", " - udf: Avoid excessive partition lengths", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46825", " - wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46826", " - ELF: fix kernel.randomize_va_space double read", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46827", " - wifi: ath12k: fix firmware crash due to invalid peer nss", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-47669", " - nilfs2: fix state management in error path of log writing function", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46780", " - nilfs2: protect references to superblock parameters exposed in sysfs", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46781", " - nilfs2: fix missing cleanup on rollforward recovery error", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46828", " - sched: sch_cake: fix bulk flow accounting logic for host fairness", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46782", " - ila: call nf_unregister_net_hooks() sooner", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46783", " - tcp_bpf: fix return value of tcp_bpf_sendmsg()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46784", " - net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46785", " - eventfs: Use list_del_rcu() for SRCU protected list variable", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46786", " - fscache: delete fscache_cookie_lru_timer when fscache exits to avoid UAF", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46787", " - userfaultfd: fix checks for huge PMDs", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46838", " - userfaultfd: don't BUG_ON() if khugepaged yanks our page table", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46845", " - tracing/timerlat: Only clear timer if a kthread exists", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46788", " - tracing/osnoise: Use a cpumask to know what threads are kthreads", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46846", " - spi: rockchip: Resolve unbalanced runtime PM / system PM handling", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46847", " - mm: vmalloc: ensure vmap_block is initialised before adding to queue", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46791", " - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46829", " - rtmutex: Drop rt_mutex::wait_lock before scheduling", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46848", " - perf/x86/intel: Limit the period on Haswell", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46794", " - x86/tdx: Fix data leak in mmio_read()", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46795", " - ksmbd: unset the binding mark of a reused connection", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46797", " - powerpc/qspinlock: Fix deadlock in MCS queue", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46830", " - KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46798", " - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object", " * Noble update: upstream stable patchset 2024-10-29 (LP: #2085849) //", " CVE-2024-46831", " - net: microchip: vcap: Fix use-after-free error in kunit test", " * Navi24 RX6300 light up issue on 6.8 kernel (LP: #2084513)", " - drm/amd/display: Ensure populate uclk in bb construction", " * Noble update: upstream stable patchset 2024-10-18 (LP: #2084941)", " - drm/fb-helper: Don't schedule_work() to flush frame buffer during panic()", " - drm: panel-orientation-quirks: Add quirk for OrangePi Neo", " - scsi: ufs: core: Check LSDBS cap when !mcq", " - scsi: ufs: core: Bypass quick recovery if force reset is needed", " - btrfs: tree-checker: validate dref root and objectid", " - ALSA: hda/generic: Add a helper to mute speakers at suspend/shutdown", " - ALSA: hda/conexant: Mute speakers at suspend / shutdown", " - ALSA: ump: Transmit RPN/NRPN message at each MSB/LSB data reception", " - ALSA: ump: Explicitly reset RPN with Null RPN", " - ALSA: seq: ump: Use the common RPN/bank conversion context", " - ALSA: seq: ump: Transmit RPN/NRPN message at each MSB/LSB data reception", " - ALSA: seq: ump: Explicitly reset RPN with Null RPN", " - net/mlx5: DR, Fix 'stack guard page was hit' error in dr_rule", " - ASoC: amd: yc: Support mic on HP 14-em0002la", " - spi: hisi-kunpeng: Add validation for the minimum value of speed_hz", " - i2c: Fix conditional for substituting empty ACPI functions", " - dma-debug: avoid deadlock between dma debug vs printk and netconsole", " - net: usb: qmi_wwan: add MeiG Smart SRM825L", " - ASoC: amd: yc: Support mic on Lenovo Thinkpad E14 Gen 6", " - ASoC: codecs: ES8326: button detect issue", " - selftests: mptcp: userspace pm create id 0 subflow", " - selftests: mptcp: dump userspace addrs list", " - selftests: mptcp: userspace pm get addr tests", " - selftests: mptcp: declare event macros in mptcp_lib", " - selftests: mptcp: join: cannot rm sf if closed", " - selftests: mptcp: add explicit test case for remove/readd", " - selftests: mptcp: join: check re-using ID of unused ADD_ADDR", " - selftests: mptcp: join: check re-adding init endp with != id", " - selftests: mptcp: add mptcp_lib_events helper", " - selftests: mptcp: join: validate event numbers", " - selftests: mptcp: join: check re-re-adding ID 0 signal", " - selftests: mptcp: join: test for flush/re-add endpoints", " - selftests: mptcp: join: disable get and dump addr checks", " - selftests: mptcp: join: stop transfer when check is done (part 2.2)", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr", " - drm/amd/display: Assign linear_pitch_alignment even for VM", " - drm/amdgpu: fix overflowed array index read warning", " - drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc", " - drm/amd/pm: fix uninitialized variable warning", " - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr", " - drm/amd/pm: fix warning using uninitialized value of max_vid_step", " - drm/amd/pm: Fix negative array index read", " - drm/amd/pm: fix the Out-of-bounds read warning", " - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr", " - drm/amdgpu: avoid reading vf2pf info size from FB", " - drm/amd/display: Check gpio_id before used as array index", " - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6", " - drm/amd/display: Check index for aux_rd_interval before using", " - drm/amd/display: Add array index check for hdcp ddc access", " - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]", " - drm/amd/display: Check msg_id before processing transcation", " - drm/amd/display: Fix Coverity INTERGER_OVERFLOW within", " construct_integrated_info", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " dal_gpio_service_create", " - drm/amd/display: Spinlock before reading event", " - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within", " decide_fallback_link_setting_max_bw_policy", " - drm/amd/display: Ensure index calculation will not overflow", " - drm/amd/display: Skip inactive planes within", " ModeSupportAndSystemConfiguration", " - drm/amd/display: Fix index may exceed array range within", " fpu_update_bw_bounding_box", " - drm/amd/amdgpu: Check tbo resource pointer", " - drm/amd/pm: fix uninitialized variable warnings for vangogh_ppt", " - drm/amdgpu/pm: Fix uninitialized variable warning for smu10", " - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response", " - drm/amdgpu: Fix the uninitialized variable warning", " - drm/amdkfd: Check debug trap enable before write dbg_ev_file", " - drm/amdkfd: Reconcile the definition and use of oem_id in struct", " kfd_topology_device", " - apparmor: fix possible NULL pointer dereference", " - wifi: ath12k: initialize 'ret' in ath12k_qmi_load_file_target_mem()", " - wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem()", " - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy", " SOCs", " - drm/amdgpu: Fix the warning division or modulo by zero", " - drm/amdgpu: fix dereference after null check", " - drm/amdgpu: fix the waring dereferencing hive", " - drm/amd/pm: check specific index for aldebaran", " - drm/amd/pm: check specific index for smu13", " - drm/amdgpu: the warning dereferencing obj for nbio_v7_4", " - drm/amd/pm: check negtive return for table entries", " - wifi: rtw89: ser: avoid multiple deinit on same CAM", " - drm/kfd: Correct pinned buffer handling at kfd restore and validate process", " - drm/amdgpu: update type of buf size to u32 for eeprom functions", " - wifi: iwlwifi: remove fw_running op", " - cpufreq: scmi: Avoid overflow of target_freq in fast switch", " - PCI: al: Check IORESOURCE_BUS existence during probe", " - wifi: mac80211: check ieee80211_bss_info_change_notify() against MLD", " - hwspinlock: Introduce hwspin_lock_bust()", " - soc: qcom: smem: Add qcom_smem_bust_hwspin_lock_by_host()", " - RDMA/efa: Properly handle unexpected AQ completions", " - ionic: fix potential irq name truncation", " - pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode.", " - rcu/nocb: Remove buggy bypass lock contention mitigation", " - media: v4l2-cci: Always assign *val", " - usbip: Don't submit special requests twice", " - usb: typec: ucsi: Fix null pointer dereference in trace", " - fsnotify: clear PARENT_WATCHED flags lazily", " - net: remove NULL-pointer net parameter in ip_metrics_convert", " - drm/amdgu: fix Unintentional integer overflow for mall size", " - regmap: spi: Fix potential off-by-one when calculating reserved size", " - smack: tcp: ipv4, fix incorrect labeling", " - platform/chrome: cros_ec_lpc: MEC access can use an AML mutex", " - net/mlx5e: SHAMPO, Fix incorrect page release", " - drm/meson: plane: Add error handling", " - crypto: stm32/cryp - call finalize with bh disabled", " - gfs2: Revert \"Add quota_change type\"", " - drm/bridge: tc358767: Check if fully initialized before signalling HPD event", " via IRQ", " - dmaengine: altera-msgdma: use irq variant of spin_lock/unlock while invoking", " callbacks", " - dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor", " - hwmon: (k10temp) Check return value of amd_smn_read()", " - wifi: cfg80211: make hash table duplicates more survivable", " - f2fs: fix to do sanity check on blocks for inline_data inode", " - driver: iio: add missing checks on iio_info's callback access", " - block: remove the blk_flush_integrity call in blk_integrity_unregister", " - drm/amdgpu: add skip_hw_access checks for sriov", " - drm/amdgpu: add lock in amdgpu_gart_invalidate_tlb", " - drm/amdgpu: add lock in kfd_process_dequeue_from_device", " - drm/amd/display: Don't use fsleep for PSR exit waits on dmub replay", " - drm/amd/display: added NULL check at start of dc_validate_stream", " - drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX", " - drm/amd/display: use preferred link settings for dp signal only", " - drm/amd/display: Check BIOS images before it is used", " - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null", " - media: uvcvideo: Enforce alignment of frame and interval", " - virtio_net: Fix napi_skb_cache_put warning", " - i2c: Use IS_REACHABLE() for substituting empty ACPI functions", " - btrfs: factor out stripe length calculation into a helper", " - btrfs: scrub: update last_physical after scrubbing one stripe", " - btrfs: fix qgroup reserve leaks in cow_file_range", " - virtio-net: check feature before configuring the vq coalescing command", " - drm/amd/display: Handle the case which quad_part is equal 0", " - drm/amdgpu: Handle sg size limit for contiguous allocation", " - drm/amd/pm: fix uninitialized variable warning for smu_v13", " - drm/amdgpu: fix uninitialized scalar variable warning", " - drm/amd/display: Ensure array index tg_inst won't be -1", " - drm/amd/display: handle invalid connector indices", " - drm/amd/display: Increase MAX_LINKS by 2", " - drm/amd/display: Stop amdgpu_dm initialize when link nums greater than", " max_links", " - drm/amd/display: Fix incorrect size calculation for loop", " - drm/amd/display: Use kcalloc() instead of kzalloc()", " - drm/amd/display: Add missing NULL pointer check within", " dpcd_extend_address_range", " - drm/amd/display: Release state memory if amdgpu_dm_create_color_properties", " fail", " - drm/amd/display: Check link_index before accessing dc->links[]", " - drm/amd/display: Add otg_master NULL check within", " resource_log_pipe_topology_update", " - drm/amd/display: Release clck_src memory if clk_src_construct fails", " - drm/amd/display: Fix writeback job lock evasion within dm_crtc_high_irq", " - drm/xe: Demote CCS_MODE info to debug only", " - drm/drm-bridge: Drop conditionals around of_node pointers", " - drm/amdgpu: fix uninitialized variable warning for amdgpu_xgmi", " - drm/amdgpu: fix uninitialized variable warning for jpeg_v4", " - drm/amdgpu: Fix uninitialized variable warning in amdgpu_info_ioctl", " - wifi: ath12k: initialize 'ret' in ath12k_dp_rxdma_ring_sel_config_wcn7850()", " - drm/amdgpu/pm: Check input value for power profile setting on smu11, smu13", " and smu14", " - drm/xe: Fix the warning conditions", " - drm/amd/display: Fix pipe addition logic in calc_blocks_to_ungate DCN35", " - wifi: cfg80211: restrict operation during radar detection", " - remoteproc: qcom_q6v5_pas: Add hwspinlock bust on stop", " - tcp: annotate data-races around tw->tw_ts_recent and tw->tw_ts_recent_stamp", " - drm/xe: Don't overmap identity VRAM mapping", " - net: tcp/dccp: prepare for tw_timer un-pinning", " - drm/xe: Ensure caller uses sole domain for xe_force_wake_assert_held", " - drm/xe: Check valid domain is passed in xe_force_wake_ref", " - thermal: trip: Use READ_ONCE() for lockless access to trip properties", " - drm/xe: Add GuC state asserts to deregister_exec_queue", " - drm/amdgpu: fix overflowed constant warning in mmhub_set_clockgating()", " - drm/amd/display: Remove register from DCN35 DMCUB diagnostic collection", " - drm/amd/display: Disable DMCUB timeout for DCN35", " - drm/amd/display: Avoid overflow from uint32_t to uint8_t", " - pinctrl: core: reset gpio_device in loop in pinctrl_pins_show()", " - Upstream stable to v6.6.50, v6.10.9", " * CVE-2024-46747", " - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup", " * CVE-2024-46725", " - drm/amdgpu: Fix out-of-bounds write warning", " * CVE-2024-46724", " - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number", " * [SRU] Fix AST DP output after resume (LP: #2083022)", " - drm/ast: Inline drm_simple_encoder_init()", " - drm/ast: Implement atomic enable/disable for encoders", " - drm/ast: Program mode for AST DP in atomic_mode_set", " - drm/ast: Move mode-setting code into mode_set_nofb CRTC helper", " - drm/ast: Handle primary-plane format setup in atomic_update", " - drm/ast: Remove gamma LUT updates from DPMS code", " - drm/ast: Only set VGA SCREEN_DISABLE bit in CRTC code", " - drm/ast: Inline ast_crtc_dpms() into callers", " - drm/ast: Use drm_atomic_helper_commit_tail() helper", " * UBSAN array-index-out-of-bounds reported with N-6.8 on P9 node baltar", " (LP: #2078038)", " - scripts/kernel-doc: reindent", " - compiler_types: add Endianness-dependent __counted_by_{le, be}", " - scsi: aacraid: union aac_init: Replace 1-element array with flexible array", " - scsi: aacraid: struct aac_ciss_phys_luns_resp: Replace 1-element array with", " flexible array", " - scsi: aacraid: Rearrange order of struct aac_srb_unit", " - scsi: aacraid: struct {user, }sgmap{, 64, raw}: Replace 1-element arrays", " with flexible arrays", " * r8169: transmit queue 0 timed out error when re-plugging the Ethernet cable", " (LP: #2084526)", " - r8169: disable ALDPS per default for RTL8125", " * [SRU] cpufreq: intel_pstate: Support Emerald Rapids OOB mode (LP: #2084834)", " - cpufreq: intel_pstate: Support Emerald Rapids OOB mode", " * CVE-2024-46723", " - drm/amdgpu: fix ucode out-of-bounds read warning", " * CVE-2024-46743", " - of/irq: Prevent device address out-of-bounds read in interrupt map walk", " * CVE-2024-46757", " - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes", " * [SRU] Ubuntu 24.04 - GPU cannot be installed with DL380a Gen12 (2P, SRF-SP)", " (LP: #2081079)", " - perf/x86/uncore: Save the unit control address of all units", " - perf/x86/uncore: Support per PMU cpumask", " - perf/x86/uncore: Retrieve the unit ID from the unit control RB tree", " - perf/x86/uncore: Apply the unit control RB tree to MMIO uncore units", " - perf/x86/uncore: Apply the unit control RB tree to MSR uncore units", " - perf/x86/uncore: Apply the unit control RB tree to PCI uncore units", " - perf/x86/uncore: Cleanup unused unit structure", " - perf/x86/intel/uncore: Support HBM and CXL PMON counters", " * Noble update: upstream stable patchset 2024-10-11 (LP: #2084225)", " - ALSA: seq: Skip event type filtering for UMP events", " - LoongArch: Remove the unused dma-direct.h", " - btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()", " - btrfs: run delayed iputs when flushing delalloc", " - smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()", " - pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins", " - pinctrl: single: fix potential NULL dereference in pcs_get_function()", " - wifi: wfx: repair open network AP mode", " - wifi: mwifiex: duplicate static structs used in driver instances", " - net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response", " - mptcp: close subflow when receiving TCP+FIN", " - mptcp: sched: check both backup in retrans", " - mptcp: pm: reuse ID 0 after delete and re-add", " - mptcp: pm: skip connecting to already established sf", " - mptcp: pm: reset MPC endp ID when re-added", " - mptcp: pm: send ACK on an active subflow", " - mptcp: pm: do not remove already closed subflows", " - mptcp: pm: fix ID 0 endp usage after multiple re-creations", " - mptcp: pm: ADD_ADDR 0 is not a new address", " - selftests: mptcp: join: check removing ID 0 endpoint", " - selftests: mptcp: join: no extra msg if no counter", " - selftests: mptcp: join: check re-re-adding ID 0 endp", " - drm/amdgpu/swsmu: always force a state reprogram on init", " - drm/vmwgfx: Fix prime with external buffers", " - usb: typec: fix up incorrectly backported \"usb: typec: tcpm: unregister", " existing source caps before re-registration\"", " - ASoC: amd: acp: fix module autoloading", " - ASoC: SOF: amd: Fix for acp init sequence", " - pinctrl: mediatek: common-v2: Fix broken bias-disable for", " PULL_PU_PD_RSEL_TYPE", " - pinctrl: starfive: jh7110: Correct the level trigger configuration of iev", " register", " - ovl: pass string to ovl_parse_layer()", " - ovl: fix wrong lowerdir number check for parameter Opt_lowerdir", " - ovl: ovl_parse_param_lowerdir: Add missed '\\n' for pr_err", " - mm: Fix missing folio invalidation calls during truncation", " - cifs: Fix FALLOC_FL_PUNCH_HOLE support", " - selinux,smack: don't bypass permissions check in inode_setsecctx hook", " - iommufd: Do not allow creating areas without READ or WRITE", " - phy: fsl-imx8mq-usb: fix tuning parameter name", " - dmaengine: dw-edma: Fix unmasking STOP and ABORT interrupts for HDMA", " - dmaengine: dw-edma: Do not enable watermark interrupts for HDMA", " - phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume", " - dmaengine: dw: Add peripheral bus width verification", " - dmaengine: dw: Add memory bus width verification", " - Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test", " - Bluetooth: btnxpuart: Handle FW Download Abort scenario", " - Bluetooth: btnxpuart: Fix random crash seen while removing driver", " - Bluetooth: hci_core: Fix not handling hibernation actions", " - iommu: Do not return 0 from map_pages if it doesn't do anything", " - netfilter: nf_tables: restore IP sanity checks for netdev/egress", " - wifi: iwlwifi: fw: fix wgds rev 3 exact size", " - ethtool: check device is present when getting link settings", " - netfilter: nf_tables_ipv6: consider network offset in netdev/egress", " validation", " - selftests: forwarding: no_forwarding: Down ports on cleanup", " - selftests: forwarding: local_termination: Down ports on cleanup", " - bonding: implement xdo_dev_state_free and call it after deletion", " - bonding: extract the use of real_device into local variable", " - bonding: change ipsec_lock from spin lock to mutex", " - gtp: fix a potential NULL pointer dereference", " - sctp: fix association labeling in the duplicate COOKIE-ECHO case", " - drm/amd/display: avoid using null object of framebuffer", " - net: busy-poll: use ktime_get_ns() instead of local_clock()", " - nfc: pn533: Add poll mod list filling check", " - soc: qcom: cmd-db: Map shared memory as WC, not WB", " - soc: qcom: pmic_glink: Actually communicate when remote goes down", " - soc: qcom: pmic_glink: Fix race during initialization", " - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller", " - scsi: sd: Ignore command SYNCHRONIZE CACHE error if format in progress", " - USB: serial: option: add MeiG Smart SRM825L", " - ARM: dts: imx6dl-yapp43: Increase LED current to match the yapp4 HW design", " - usb: dwc3: omap: add missing depopulate in probe error path", " - usb: dwc3: core: Prevent USB core invalid event buffer address access", " - usb: dwc3: st: fix probed platform device ref count on probe error path", " - usb: dwc3: st: add missing depopulate in probe error path", " - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in", " remove_power_attributes()", " - usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function", " - usb: cdnsp: fix for Link TRB with TC", " - ARM: dts: omap3-n900: correct the accelerometer orientation", " - arm64: dts: imx8mp-beacon-kit: Fix Stereo Audio on WM8962", " - arm64: dts: imx93: add nvmem property for fec1", " - arm64: dts: imx93: add nvmem property for eqos", " - arm64: dts: imx93: update default value for snps,clk-csr", " - arm64: dts: freescale: imx93-tqma9352: fix CMA alloc-ranges", " - arm64: dts: freescale: imx93-tqma9352-mba93xxla: fix typo", " - scsi: aacraid: Fix double-free on probe failure", " - apparmor: fix policy_unpack_test on big endian systems", " - mptcp: pr_debug: add missing \\n at the end", " - mptcp: make pm_remove_addrs_and_subflows static", " - mptcp: pm: fix RM_ADDR ID for the initial subflow", " - mptcp: avoid duplicated SUB_CLOSED events", " - drm/i915/dsi: Make Lenovo Yoga Tab 3 X90F DMI match less strict", " - drm/vmwgfx: Prevent unmapping active read buffers", " - drm/vmwgfx: Disable coherent dumb buffers without 3d", " - firmware/sysfb: Set firmware-framebuffer parent device", " - firmware/sysfb: Create firmware device only for enabled PCI devices", " - video/aperture: optionally match the device in sysfb_disable()", " - drm/xe: Prepare display for D3Cold", " - drm/xe/display: Make display suspend/resume work on discrete", " - drm/xe/vm: Simplify if condition", " - drm/xe/exec_queue: Rename xe_exec_queue::compute to xe_exec_queue::lr", " - drm/xe: prevent UAF around preempt fence", " - pinctrl: qcom: x1e80100: Update PDC hwirq map", " - ASoC: SOF: amd: move iram-dram fence register programming sequence", " - nfsd: ensure that nfsd4_fattr_args.context is zeroed out", " - backing-file: convert to using fops->splice_write", " - pinctrl: qcom: x1e80100: Fix special pin offsets", " - afs: Fix post-setattr file edit to do truncation correctly", " - netfs: Fix netfs_release_folio() to say no if folio dirty", " - netfs: Fix missing iterator reset on retry of short read", " - dmaengine: ti: omap-dma: Initialize sglen after allocation", " - pktgen: use cpus_read_lock() in pg_net_init()", " - net_sched: sch_fq: fix incorrect behavior for small weights", " - tcp: fix forever orphan socket caused by tcp_abort", " - drm/xe/hwmon: Fix WRITE_I1 param from u32 to u16", " - usb: typec: fsa4480: Relax CHIP_ID check", " - firmware: qcom: scm: Mark get_wq_ctx() as atomic call", " - usb: gadget: uvc: queue pump work in uvcg_video_enable()", " - usb: dwc3: xilinx: add missing depopulate in probe error path", " - usb: typec: ucsi: Move unregister out of atomic section", " - firmware: microchip: fix incorrect error report of programming:timeout on", " success", " - Upstream stable to v6.6.49, v6.10.8", " * Fix blank screen on external display after reconnecting the USB type-C", " (LP: #2081786) // Noble update: upstream stable patchset 2024-10-11", " (LP: #2084225)", " - drm/i915/display: add intel_display -> drm_device backpointer", " - drm/i915/display: add generic to_intel_display() macro", " - drm/i915/dp_mst: Fix MST state after a sink reset", " * Noble update: upstream stable patchset 2024-10-09 (LP: #2084005)", " - tty: serial: fsl_lpuart: mark last busy before uart_add_one_port", " - tty: atmel_serial: use the correct RTS flag.", " - Revert \"ACPI: EC: Evaluate orphan _REG under EC device\"", " - Revert \"misc: fastrpc: Restrict untrusted app to attach to privileged PD\"", " - Revert \"usb: typec: tcpm: clear pd_event queue in PORT_RESET\"", " - selinux: revert our use of vma_is_initial_heap()", " - fuse: Initialize beyond-EOF page contents before setting uptodate", " - char: xillybus: Don't destroy workqueue from work item running on it", " - char: xillybus: Refine workqueue handling", " - char: xillybus: Check USB endpoints when probing device", " - ALSA: usb-audio: Add delay quirk for VIVO USB-C-XE710 HEADSET", " - ALSA: usb-audio: Support Yamaha P-125 quirk entry", " - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration", " - thunderbolt: Mark XDomain as unplugged when router is removed", " - ALSA: hda/tas2781: fix wrong calibrated data order", " - s390/dasd: fix error recovery leading to data corruption on ESE devices", " - KVM: s390: fix validity interception issue when gisa is switched off", " - riscv: change XIP's kernel_map.size to be size of the entire kernel", " - i2c: tegra: Do not mark ACPI devices as irq safe", " - ACPICA: Add a depth argument to acpi_execute_reg_methods()", " - ACPI: EC: Evaluate _REG outside the EC scope more carefully", " - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to", " NUMA_NO_NODE", " - dm resume: don't return EINVAL when signalled", " - dm persistent data: fix memory allocation failure", " - fs/ntfs3: add prefix to bitmap_size() and use BITS_TO_U64()", " - s390/cio: rename bitmap_size() -> idset_bitmap_size()", " - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()", " - bitmap: introduce generic optimized bitmap_size()", " - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE", " - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume", " - rtla/osnoise: Prevent NULL dereference in error handling", " - net: mana: Fix RX buf alloc_size alignment and atomic op panic", " - net: mana: Fix doorbell out of order violation and avoid unnecessary", " doorbell rings", " - wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion", " - selinux: fix potential counting error in avc_add_xperms_decision()", " - selinux: add the processing of the failure of avc_add_xperms_decision()", " - mm/memory-failure: use raw_spinlock_t in struct memory_failure_cpu", " - btrfs: tree-checker: reject BTRFS_FT_UNKNOWN dir type", " - btrfs: zoned: properly take lock to read/update block group's zoned", " variables", " - btrfs: tree-checker: add dev extent item checks", " - drm/amdgpu: Actually check flags for all context ops.", " - memcg_write_event_control(): fix a user-triggerable oops", " - drm/amdgpu/jpeg2: properly set atomics vmid field", " - drm/amdgpu/jpeg4: properly set atomics vmid field", " - s390/uv: Panic for set and remove shared access UVC errors", " - bpf: Fix updating attached freplace prog in prog_array map", " - igc: Fix packet still tx after gate close by reducing i226 MAC retry buffer", " - igc: Fix qbv_config_change_errors logics", " - igc: Fix reset adapter logics when tx mode change", " - net/mlx5e: Take state lock during tx timeout reporter", " - net/mlx5e: Correctly report errors for ethtool rx flows", " - net: axienet: Fix register defines comment description", " - net: dsa: vsc73xx: pass value in phy_write operation", " - net: dsa: vsc73xx: use read_poll_timeout instead delay loop", " - net: dsa: vsc73xx: check busy flag in MDIO operations", " - net: ethernet: mtk_wed: fix use-after-free panic in", " mtk_wed_setup_tc_block_cb()", " - mlxbf_gige: disable RX filters until RX path initialized", " - mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size", " - tcp: Update window clamping condition", " - netfilter: allow ipv6 fragments to arrive on different devices", " - netfilter: flowtable: initialise extack before use", " - netfilter: nf_queue: drop packets with cloned unconfirmed conntracks", " - netfilter: nf_tables: Audit log dump reset after the fact", " - netfilter: nf_tables: Introduce nf_tables_getobj_single", " - netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests", " - vsock: fix recursive ->recvmsg calls", " - selftests: net: lib: ignore possible errors", " - selftests: net: lib: kill PIDs before del netns", " - net: hns3: fix wrong use of semaphore up", " - net: hns3: use the user's cfg after reset", " - net: hns3: fix a deadlock problem when config TC during resetting", " - gpio: mlxbf3: Support shutdown() function", " - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7", " - rust: work around `bindgen` 0.69.0 issue", " - rust: suppress error messages from CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT", " - rust: fix the default format for CONFIG_{RUSTC,BINDGEN}_VERSION_TEXT", " - cpu/SMT: Enable SMT only if a core is online", " - powerpc/topology: Check if a core is online", " - arm64: Fix KASAN random tag seed initialization", " - block: Fix lockdep warning in blk_mq_mark_tag_wait", " - wifi: ath12k: Add missing qmi_txn_cancel() calls", " - quota: Remove BUG_ON from dqget()", " - riscv: blacklist assembly symbols for kprobe", " - kernfs: fix false-positive WARN(nr_mmapped) in kernfs_drain_open_files", " - media: pci: cx23885: check cx23885_vdev_init() return", " - fs: binfmt_elf_efpic: don't use missing interpreter's properties", " - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()", " - media: drivers/media/dvb-core: copy user arrays safely", " - wifi: iwlwifi: mvm: avoid garbage iPN", " - net/sun3_82586: Avoid reading past buffer in debug output", " - drm/lima: set gp bus_stop bit before hard reset", " - gpio: sysfs: extend the critical section for unregistering sysfs devices", " - hrtimer: Select housekeeping CPU during migration", " - virtiofs: forbid newlines in tags", " - accel/habanalabs: fix debugfs files permissions", " - clocksource/drivers/arm_global_timer: Guard against division by zero", " - tick: Move got_idle_tick away from common flags", " - netlink: hold nlk->cb_mutex longer in __netlink_dump_start()", " - md: clean up invalid BUG_ON in md_ioctl", " - x86: Increase brk randomness entropy for 64-bit systems", " - memory: stm32-fmc2-ebi: check regmap_read return value", " - parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367", " - rxrpc: Don't pick values out of the wire header when setting up security", " - f2fs: stop checkpoint when get a out-of-bounds segment", " - powerpc/boot: Handle allocation failure in simple_realloc()", " - powerpc/boot: Only free if realloc() succeeds", " - btrfs: delayed-inode: drop pointless BUG_ON in __btrfs_remove_delayed_item()", " - btrfs: defrag: change BUG_ON to assertion in btrfs_defrag_leaves()", " - btrfs: change BUG_ON to assertion when checking for delayed_node root", " - btrfs: push errors up from add_async_extent()", " - btrfs: handle invalid root reference found in may_destroy_subvol()", " - btrfs: send: handle unexpected data in header buffer in begin_cmd()", " - btrfs: send: handle unexpected inode in header process_recorded_refs()", " - btrfs: change BUG_ON to assertion in tree_move_down()", " - btrfs: delete pointless BUG_ON check on quota root in", " btrfs_qgroup_account_extent()", " - f2fs: fix to do sanity check in update_sit_entry", " - usb: gadget: fsl: Increase size of name buffer for endpoints", " - nvme: clear caller pointer on identify failure", " - Bluetooth: bnep: Fix out-of-bound access", " - firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid", " - rtc: nct3018y: fix possible NULL dereference", " - net: hns3: add checking for vf id of mailbox", " - nvmet-tcp: do not continue for invalid icreq", " - NFS: avoid infinite loop in pnfs_update_layout.", " - openrisc: Call setup_memory() earlier in the init sequence", " - s390/iucv: fix receive buffer virtual vs physical address confusion", " - irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same time", " - platform/x86: lg-laptop: fix %s null argument warning", " - usb: dwc3: core: Skip setting event buffers for host only controllers", " - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc", " - ext4: set the type of max_zeroout to unsigned int to avoid overflow", " - nvmet-rdma: fix possible bad dereference when freeing rsps", " - selftests/bpf: Fix a few tests for GCC related warnings.", " - Revert \"bpf, sockmap: Prevent lock inversion deadlock in map delete elem\"", " - nvme: use srcu for iterating namespace list", " - drm/amdgpu: fix dereference null return value for the function", " amdgpu_vm_pt_parent", " - hrtimer: Prevent queuing of hrtimer without a function callback", " - nvme: fix namespace removal list", " - gtp: pull network headers in gtp_dev_xmit()", " - riscv: entry: always initialize regs->a0 to -ENOSYS", " - smb3: fix lock breakage for cached writes", " - dm suspend: return -ERESTARTSYS instead of -EINTR", " - selftests: memfd_secret: don't build memfd_secret test on unsupported arches", " - mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order", " fallback to order 0", " - btrfs: send: allow cloning non-aligned extent if it ends at i_size", " - drm/amd/amdgpu: command submission parser for JPEG", " - platform/surface: aggregator: Fix warning when controller is destroyed in", " probe", " - ALSA: hda/tas2781: Use correct endian conversion", " - Bluetooth: hci_core: Fix LE quote calculation", " - Bluetooth: SMP: Fix assumption of Central always being Initiator", " - net: mscc: ocelot: use ocelot_xmit_get_vlan_info() also for FDMA and", " register injection", " - net: mscc: ocelot: fix QoS class for injected packets with \"ocelot-8021q\"", " - net: mscc: ocelot: serialize access to the injection/extraction groups", " - tc-testing: don't access non-existent variable on exception", " - selftests: udpgro: report error when receive failed", " - tcp/dccp: bypass empty buckets in inet_twsk_purge()", " - tcp/dccp: do not care about families in inet_twsk_purge()", " - tcp: prevent concurrent execution of tcp_sk_exit_batch", " - net: mctp: test: Use correct skb for route input check", " - kcm: Serialise kcm_sendmsg() for the same socket.", " - netfilter: nft_counter: Disable BH in nft_counter_offload_stats().", " - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.", " - ip6_tunnel: Fix broken GRO", " - bonding: fix bond_ipsec_offload_ok return type", " - bonding: fix null pointer deref in bond_ipsec_offload_ok", " - bonding: fix xfrm real_dev null pointer dereference", " - bonding: fix xfrm state handling when clearing active slave", " - ice: fix page reuse when PAGE_SIZE is over 8k", " - ice: fix ICE_LAST_OFFSET formula", " - ice: fix truesize operations for PAGE_SIZE >= 8192", " - dpaa2-switch: Fix error checking in dpaa2_switch_seed_bp()", " - igb: cope with large MAX_SKB_FRAGS", " - net: dsa: mv88e6xxx: Fix out-of-bound access", " - udp: fix receiving fraglist GSO packets", " - ipv6: fix possible UAF in ip6_finish_output2()", " - ipv6: prevent possible UAF in ip6_xmit()", " - bnxt_en: Fix double DMA unmapping for XDP_REDIRECT", " - netfilter: flowtable: validate vlan header", " - octeontx2-af: Fix CPT AF register offset calculation", " - net: xilinx: axienet: Always disable promiscuous mode", " - net: xilinx: axienet: Fix dangling multicast addresses", " - net: ovs: fix ovs_drop_reasons error", " - drm/msm/dpu: don't play tricks with debug macros", " - drm/msm/dp: fix the max supported bpp logic", " - drm/msm/dpu: split dpu_encoder_wait_for_event into two functions", " - drm/msm/dpu: capture snapshot on the first commit_done timeout", " - drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()", " - drm/msm/dp: reset the link phy params before link training", " - drm/msm/dpu: cleanup FB if dpu_format_populate_layout fails", " - drm/msm/dpu: take plane rotation into account for wide planes", " - drm/msm: fix the highest_bank_bit for sc7180", " - mmc: mmc_test: Fix NULL dereference on allocation failure", " - Bluetooth: MGMT: Add error handling to pair_device()", " - scsi: core: Fix the return value of scsi_logical_block_count()", " - ksmbd: the buffer of smb2 query dir response has at least 1 byte", " - drm/amdgpu: Validate TA binary size", " - net: dsa: microchip: fix PTP config failure when using multiple ports", " - MIPS: Loongson64: Set timer mode in cpu-probe", " - HID: wacom: Defer calculation of resolution until resolution_code is known", " - Input: i8042 - add forcenorestore quirk to leave controller untouched even", " on s3", " - Input: i8042 - use new forcenorestore quirk to replace old buggy quirk", " combination", " - cxgb4: add forgotten u64 ivlan cast before shift", " - KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3", " - mmc: mtk-sd: receive cmd8 data when hs400 tuning fail", " - mmc: dw_mmc: allow biu and ciu clocks to defer", " - smb3: fix broken cached reads when posix locks", " - pmdomain: imx: scu-pd: Remove duplicated clocks", " - pmdomain: imx: wait SSAR when i.MX93 power domain on", " - nouveau/firmware: use dma non-coherent allocator", " - mptcp: pm: re-using ID of unused removed ADD_ADDR", " - mptcp: pm: re-using ID of unused removed subflows", " - mptcp: pm: re-using ID of unused flushed subflows", " - mptcp: pm: remove mptcp_pm_remove_subflow()", " - mptcp: pm: only mark 'subflow' endp as available", " - mptcp: pm: only decrement add_addr_accepted for MPJ req", " - mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR", " - mptcp: pm: only in-kernel cannot have entries with ID 0", " - mptcp: pm: fullmesh: select the right ID later", " - mptcp: pm: avoid possible UaF when selecting endp", " - selftests: mptcp: join: validate fullmesh endp on 1st sf", " - selftests: mptcp: join: restrict fullmesh endp on 1st sf", " - selftests: mptcp: join: check re-using ID of closed subflow", " - tcp: do not export tcp_twsk_purge()", " - drm/msm/mdss: specify cfg bandwidth for SDM670", " - drm/panel: nt36523: Set 120Hz fps for xiaomi,elish panels", " - igc: Fix qbv tx latency by setting gtxoffset", " - ALSA: timer: Relax start tick time check for slave timer elements", " - bpf: Fix a kernel verifier crash in stacksafe()", " - selftests/bpf: Add a test to verify previous stacksafe() fix", " - Revert \"s390/dasd: Establish DMA alignment\"", " - Input: MT - limit max slots", " - tools: move alignment-related macros to new ", " - Revert \"serial: 8250_omap: Set the console genpd always on if no console", " suspend\"", " - usb: misc: ljca: Add Lunar Lake ljca GPIO HID to ljca_gpio_hids[]", " - usb: xhci: Check for xhci->interrupters being allocated in", " xhci_mem_clearup()", " - vfs: Don't evict inode under the inode lru traversing context", " - tracing: Return from tracing_buffers_read() if the file has been closed", " - mm: fix endless reclaim on machines with unaccepted memory", " - fs/netfs/fscache_cookie: add missing \"n_accesses\" check", " - mm/numa: no task_numa_fault() call if PMD is changed", " - mm/numa: no task_numa_fault() call if PTE is changed", " - btrfs: check delayed refs when we're checking if a ref exists", " - drm/amd/display: Adjust cursor position", " - drm/amd/display: fix s2idle entry for DCN3.5+", " - drm/amd/display: Enable otg synchronization logic for DCN321", " - drm/amd/display: fix cursor offset on rotation 180", " - netfs: Fault in smaller chunks for non-large folio mappings", " - libfs: fix infinite directory reads for offset dir", " - kallsyms: Avoid weak references for kallsyms symbols", " - kbuild: avoid unneeded kallsyms step 3", " - kbuild: refactor variables in scripts/link-vmlinux.sh", " - kbuild: remove PROVIDE() for kallsyms symbols", " - kallsyms: get rid of code for absolute kallsyms", " - [Config] Remove CONFIG_KALLSYMS_BASE_RELATIVE", " - kallsyms: Do not cleanup .llvm. suffix before sorting symbols", " - bpf: Replace deprecated strncpy with strscpy", " - kallsyms: replace deprecated strncpy with strscpy", " - kallsyms: rework symbol lookup return codes", " - kallsyms: Match symbols exactly with CONFIG_LTO_CLANG", " - drm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()`", " - drm/amd/display: Don't register panel_power_savings on OLED panels", " - wifi: ath12k: use 128 bytes aligned iova in transmit path for WCN7850", " - kbuild: merge temporary vmlinux for BTF and kallsyms", " - kbuild: avoid scripts/kallsyms parsing /dev/null", " - Bluetooth: HCI: Invert LE State quirk to be opt-out rather then opt-in", " - net/mlx5: Fix IPsec RoCE MPV trace call", " - selftests: udpgro: no need to load xdp for gro", " - ice: use internal pf id instead of function number", " - drm/msm/dpu: limit QCM2290 to RGB formats only", " - drm/msm/dpu: relax YUV requirements", " - spi: spi-cadence-quadspi: Fix OSPI NOR failures during system resume", " - drm/xe/display: stop calling domains_driver_remove twice", " - drm/xe: Fix opregion leak", " - drm/xe/mmio: move mmio_fini over to devm", " - drm/xe: reset mmio mappings with devm", " - drm/xe: Fix tile fini sequence", " - drm/xe: Fix missing workqueue destroy in xe_gt_pagefault", " - drm/xe: Free job before xe_exec_queue_put", " - thermal/debugfs: Fix the NULL vs IS_ERR() confusion in debugfs_create_dir()", " - nvme: move stopping keep-alive into nvme_uninit_ctrl()", " - drm/amdgpu/sdma5.2: limit wptr workaround to sdma 5.2.1", " - s390/ap: Refine AP bus bindings complete processing", " - net: ngbe: Fix phy mode set to external phy", " - iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace()", " - cgroup/cpuset: fix panic caused by partcmd_update", " - cgroup/cpuset: Clear effective_xcpus on cpus_allowed clearing only if", " cpus.exclusive not set", " - of: Introduce for_each_*_child_of_node_scoped() to automate of_node_put()", " handling", " - thermal: of: Fix OF node leak in thermal_of_trips_init() error path", " - thermal: of: Fix OF node leak in thermal_of_zone_register()", " - thermal: of: Fix OF node leak in of_thermal_zone_find() error paths", " - Upstream stable to v6.6.48, v6.10.7", " * Unable to list directories using CIFS on 6.8 kernel (LP: #2082423) // Noble", " update: upstream stable patchset 2024-10-09 (LP: #2084005)", " - smb: client: ignore unhandled reparse tags", " * CVE-2024-46759", " - hwmon: (adc128d818) Fix underflows seen when writing limit attributes", " * CVE-2024-46758", " - hwmon: (lm95234) Fix underflows seen when writing limit attributes", " * CVE-2024-46756", " - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes", " * CVE-2024-46738", " - VMCI: Fix use-after-free when removing resource in vmci_resource_remove()", " * CVE-2024-46722", " - drm/amdgpu: fix mc_data out-of-bounds read warning", " * LXD fan bridge causes blocked tasks (LP: #2064176)", " - SAUCE: fan: release rcu_read_lock on skb discard path", " - SAUCE: fan: fix racy device stat update", " * x86/CPU/AMD: Add models 0x10-0x1f to the Zen5 range (LP: #2081863)", " - x86/CPU/AMD: Add models 0x60-0x6f to the Zen5 range", " * UBSAN: array-index-out-of-bounds in module mt76 (LP: #2081785)", " - wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc", " * The system hangs after resume with thunderbolt monitor(AMD GPU [1002:1900])", " (LP: #2083182)", " - SAUCE: drm/amd/display: Fix system hang while resume with TBT monitor", " * [SRU] GPU: support additional device ids for DG2 driver (LP: #2083701)", " - drm/i915: Add new PCI IDs to DG2 platform in driver", " * [SRU]Intel Arrow Lake IBECC feature backport request for ubuntu 22.04.5 and", " 24.04.1 server (LP: #2077861)", " - EDAC/igen6: Add Intel Arrow Lake-U/H SoCs support", " * Noble update: upstream stable patchset 2024-10-07 (LP: #2083794)", " - ASoC: topology: Clean up route loading", " - ASoC: topology: Fix route memory corruption", " - LoongArch: Define __ARCH_WANT_NEW_STAT in unistd.h", " - sunrpc: don't change ->sv_stats if it doesn't exist", " - nfsd: stop setting ->pg_stats for unused stats", " - sunrpc: pass in the sv_stats struct through svc_create_pooled", " - sunrpc: remove ->pg_stats from svc_program", " - nfsd: remove nfsd_stats, make th_cnt a global counter", " - nfsd: make svc_stat per-network namespace instead of global", " - mm: gup: stop abusing try_grab_folio", " - nvme/pci: Add APST quirk for Lenovo N60z laptop", " - genirq/cpuhotplug: Skip suspended interrupts when restoring affinity", " - genirq/cpuhotplug: Retry with cpu_online_mask when migration fails", " - quota: Detect loops in quota tree", " - bpf: Replace bpf_lpm_trie_key 0-length array with flexible array", " - fs: Annotate struct file_handle with __counted_by() and use struct_size()", " - mISDN: fix MISDN_TIME_STAMP handling", " - mm/page_table_check: support userfault wr-protect entries", " - bpf, net: Use DEV_STAT_INC()", " - f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC", " - f2fs: fix to cover read extent cache access with lock", " - fou: remove warn in gue_gro_receive on unsupported protocol", " - jfs: fix null ptr deref in dtInsertEntry", " - jfs: Fix shift-out-of-bounds in dbDiscardAG", " - fs/ntfs3: Do copy_to_user out of run_lock", " - ALSA: usb: Fix UBSAN warning in parse_audio_unit()", " - binfmt_flat: Fix corruption when not offsetting data start", " - mm/debug_vm_pgtable: drop RANDOM_ORVALUE trick", " - KVM: arm64: Don't defer TLB invalidation when zapping table entries", " - KVM: arm64: Don't pass a TLBI level hint when zapping table entries", " - drm/amd/display: Defer handling mst up request in resume", " - drm/amd/display: Guard cursor idle reallow by DC debug option", " - drm/amd/display: Separate setting and programming of cursor", " - drm/amd/display: Prevent IPX From Link Detect and Set Mode", " - ASoC: cs35l56: Patch CS35L56_IRQ1_MASK_18 to the default value", " - platform/x86/amd/pmf: Fix to Update HPD Data When ALS is Disabled", " - platform/x86: ideapad-laptop: introduce a generic notification chain", " - platform/x86: ideapad-laptop: move ymc_trigger_ec from lenovo-ymc", " - platform/x86: ideapad-laptop: add a mutex to synchronize VPC commands", " - drm/amd/display: Solve mst monitors blank out problem after resume", " - drm/amdgpu/display: Fix null pointer dereference in", " dc_stream_program_cursor_position", " - Upstream stable to v6.6.47, v6.10.6", " * Noble update: upstream stable patchset 2024-10-04 (LP: #2083656)", " - irqchip/mbigen: Fix mbigen node address layout", " - platform/x86/intel/ifs: Initialize union ifs_status to zero", " - jump_label: Fix the fix, brown paper bags galore", " - x86/mm: Fix pti_clone_pgtable() alignment assumption", " - x86/mm: Fix pti_clone_entry_text() for i386", " - smb: client: move most of reparse point handling code to common file", " - smb: client: set correct d_type for reparse DFS/DFSR and mount point", " - smb: client: handle lack of FSCTL_GET_REPARSE_POINT support", " - sctp: Fix null-ptr-deref in reuseport_add_sock().", " - net: usb: qmi_wwan: fix memory leak for not ip packets", " - net: bridge: mcast: wait for previous gc cycles when removing port", " - net: linkwatch: use system_unbound_wq", " - ice: Fix reset handler", " - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()", " - Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv", " monitor", " - net/smc: add the max value of fallback reason count", " - net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register()", " - l2tp: fix lockdep splat", " - net: bcmgenet: Properly overlay PHY and MAC Wake-on-LAN capabilities", " - net: fec: Stop PPS on driver remove", " - gpio: prevent potential speculation leaks in gpio_device_get_desc()", " - hwmon: corsair-psu: add USB id of HX1200i Series 2023 psu", " - rcutorture: Fix rcu_torture_fwd_cb_cr() data race", " - md: do not delete safemode_timer in mddev_suspend", " - md/raid5: avoid BUG_ON() while continue reshape after reassembling", " - block: change rq_integrity_vec to respect the iterator", " - rcu: Fix rcu_barrier() VS post CPUHP_TEARDOWN_CPU invocation", " - clocksource/drivers/sh_cmt: Address race condition for clock events", " - ACPI: battery: create alarm sysfs attribute atomically", " - ACPI: SBS: manage alarm sysfs attribute through psy core", " - xen: privcmd: Switch from mutex to spinlock for irqfds", " - wifi: nl80211: disallow setting special AP channel widths", " - wifi: ath12k: fix memory leak in ath12k_dp_rx_peer_frag_setup()", " - net/mlx5e: SHAMPO, Fix invalid WQ linked list unlink", " - selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT", " - af_unix: Don't retry after unix_state_lock_nested() in", " unix_stream_connect().", " - PCI: Add Edimax Vendor ID to pci_ids.h", " - udf: prevent integer overflow in udf_bitmap_free_blocks()", " - wifi: nl80211: don't give key data to userspace", " - can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index", " erratum", " - can: mcp251xfd: tef: update workaround for erratum DS80000789E 6 of", " mcp2518fd", " - net: stmmac: qcom-ethqos: enable SGMII loopback during DMA reset on", " sa8775p-ride-r3", " - btrfs: do not clear page dirty inside extent_write_locked_range()", " - btrfs: fix invalid mapping of extent xarray state", " - btrfs: fix bitmap leak when loading free space cache on duplicate entry", " - Bluetooth: btnxpuart: Shutdown timer and prevent rearming when driver", " unloading", " - drm/amd/display: Add delay to improve LTTPR UHBR interop", " - drm/amdgpu: fix potential resource leak warning", " - drm/amdgpu/pm: Fix the param type of set_power_profile_mode", " - drm/amdgpu/pm: Fix the null pointer dereference for smu7", " - drm/amdgpu: Fix the null pointer dereference to ras_manager", " - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules", " - drm/admgpu: fix dereferencing null pointer context", " - drm/amdgpu: Add lock around VF RLCG interface", " - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr", " - media: amphion: Remove lock in s_ctrl callback", " - drm/amd/display: Add null checker before passing variables", " - media: uvcvideo: Ignore empty TS packets", " - media: uvcvideo: Fix the bandwdith quirk on USB 3.x", " - media: xc2028: avoid use-after-free in load_firmware_cb()", " - ext4: fix uninitialized variable in ext4_inlinedir_to_tree", " - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer", " - s390/sclp: Prevent release of buffer in I/O", " - SUNRPC: Fix a race to wake a sync task", " - profiling: remove profile=sleep support", " - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES", " - irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to", " 'raw_spinlock_t'", " - irqchip/loongarch-cpu: Fix return value of lpic_gsi_to_irq()", " - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime", " - net: drop bad gso csum_start and offset in virtio_net_hdr", " - arm64: Add Neoverse-V2 part", " - arm64: barrier: Restore spec_bar() macro", " - arm64: cputype: Add Cortex-X4 definitions", " - arm64: cputype: Add Neoverse-V3 definitions", " - arm64: errata: Add workaround for Arm errata 3194386 and 3312417", " - arm64: cputype: Add Cortex-X3 definitions", " - arm64: cputype: Add Cortex-A720 definitions", " - arm64: cputype: Add Cortex-X925 definitions", " - arm64: errata: Unify speculative SSBS errata logic", " - [Config] Set ARM64_ERRATUM_3194386=y", " - arm64: errata: Expand speculative SSBS workaround", " - arm64: cputype: Add Cortex-X1C definitions", " - arm64: cputype: Add Cortex-A725 definitions", " - arm64: errata: Expand speculative SSBS workaround (again)", " - i2c: smbus: Improve handling of stuck alerts", " - ASoC: codecs: wcd938x-sdw: Correct Soundwire ports mask", " - ASoC: codecs: wsa881x: Correct Soundwire ports mask", " - ASoC: codecs: wsa883x: parse port-mapping information", " - ASoC: codecs: wsa883x: Correct Soundwire ports mask", " - ASoC: codecs: wsa884x: parse port-mapping information", " - ASoC: codecs: wsa884x: Correct Soundwire ports mask", " - ASoC: sti: add missing probe entry for player and reader", " - spi: spidev: Add missing spi_device_id for bh2228fv", " - ASoC: SOF: Remove libraries from topology lookups", " - i2c: smbus: Send alert notifications to all devices if source not found", " - bpf: kprobe: remove unused declaring of bpf_kprobe_override", " - kprobes: Fix to check symbol prefixes correctly", " - i2c: qcom-geni: Add missing clk_disable_unprepare in geni_i2c_runtime_resume", " - i2c: qcom-geni: Add missing geni_icc_disable in geni_i2c_runtime_resume", " - spi: spi-fsl-lpspi: Fix scldiv calculation", " - ALSA: usb-audio: Re-add ScratchAmp quirk entries", " - ASoC: meson: axg-fifo: fix irq scheduling issue with PREEMPT_RT", " - cifs: cifs_inval_name_dfs_link_error: correct the check for fullpath", " - module: warn about excessively long module waits", " - module: make waiting for a concurrent module loader interruptible", " - drm/i915/gem: Fix Virtual Memory mapping boundaries calculation", " - drm/amd/display: Skip Recompute DSC Params if no Stream on Link", " - drm/amdgpu: Forward soft recovery errors to userspace", " - drm/i915/gem: Adjust vma offset for framebuffer mmap offset", " - drm/client: fix null pointer dereference in drm_client_modeset_probe", " - ALSA: line6: Fix racy access to midibuf", " - ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list", " - ALSA: hda/realtek: Add Framework Laptop 13 (Intel Core Ultra) to quirks", " - ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4", " - usb: vhci-hcd: Do not drop references before new references are gained", " - USB: serial: debug: do not echo input by default", " - usb: gadget: core: Check for unset descriptor", " - usb: gadget: midi2: Fix the response for FB info with block 0xff", " - usb: gadget: u_serial: Set start_delayed during suspend", " - usb: gadget: u_audio: Check return codes from usb_ep_enable and", " config_ep_by_speed.", " - scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES", " - scsi: ufs: core: Do not set link to OFF state while waking up from", " hibernation", " - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic", " - tick/broadcast: Move per CPU pointer access into the atomic section", " - vhost-vdpa: switch to use vmf_insert_pfn() in the fault handler", " - ntp: Clamp maxerror and esterror to operating range", " - clocksource: Scale the watchdog read retries automatically", " - clocksource: Fix brown-bag boolean thinko in cs_watchdog_read()", " - driver core: Fix uevent_show() vs driver detach race", " - tracefs: Fix inode allocation", " - tracefs: Use generic inode RCU for synchronizing freeing", " - ntp: Safeguard against time_constant overflow", " - timekeeping: Fix bogus clock_was_set() invocation in do_adjtimex()", " - serial: core: check uartclk for zero to avoid divide by zero", " - memcg: protect concurrent access to mem_cgroup_idr", " - parisc: fix unaligned accesses in BPF", " - parisc: fix a possible DMA corruption", " - ASoC: amd: yc: Add quirk entry for OMEN by HP Gaming Laptop 16-n0xxx", " - kcov: properly check for softirq context", " - irqchip/xilinx: Fix shift out of bounds", " - genirq/irqdesc: Honor caller provided affinity in alloc_desc()", " - LoongArch: Enable general EFI poweroff method", " - power: supply: qcom_battmgr: return EAGAIN when firmware service is not up", " - power: supply: axp288_charger: Fix constant_charge_voltage writes", " - power: supply: axp288_charger: Round constant_charge_voltage writes down", " - tracing: Fix overflow in get_free_elt()", " - padata: Fix possible divide-by-0 panic in padata_mt_helper()", " - smb3: fix setting SecurityFlags when encryption is required", " - eventfs: Don't return NULL in eventfs_create_dir()", " - eventfs: Use SRCU for freeing eventfs_inodes", " - selftests: mm: add s390 to ARCH check", " - btrfs: avoid using fixed char array size for tree names", " - x86/paravirt: Fix incorrect virt spinlock setting on bare metal", " - x86/mtrr: Check if fixed MTRRs exist before saving them", " - sched/smt: Introduce sched_smt_present_inc/dec() helper", " - sched/smt: Fix unbalance sched_smt_present dec/inc", " - sched/core: Introduce sched_set_rq_on/offline() helper", " - sched/core: Fix unbalance set_rq_online/offline() in sched_cpu_deactivate()", " - drm/bridge: analogix_dp: properly handle zero sized AUX transactions", " - drm/dp_mst: Skip CSN if topology probing is not done yet", " - drm/lima: Mark simple_ondemand governor as softdep", " - drm/mgag200: Set DDC timeout in milliseconds", " - drm/mgag200: Bind I2C lifetime to DRM device", " - drm/radeon: Remove __counted_by from StateArray.states[]", " - mptcp: fully established after ADD_ADDR echo on MPJ", " - mptcp: pm: deny endp with signal + subflow + port", " - block: use the right type for stub rq_integrity_vec()", " - btrfs: fix corruption after buffer fault in during direct IO append write", " - tools headers arm64: Sync arm64's cputype.h with the kernel sources", " - mm/hugetlb: fix potential race in __update_and_free_hugetlb_folio()", " - xfs: fix log recovery buffer allocation for the legacy h_size fixup", " - mptcp: pm: reduce indentation blocks", " - mptcp: pm: don't try to create sf if alloc failed", " - mptcp: pm: do not ignore 'subflow' if 'signal' flag is also set", " - selftests: mptcp: join: ability to invert ADD_ADDR check", " - selftests: mptcp: join: test both signal & subflow", " - Revert \"selftests: mptcp: simult flows: mark 'unbalanced' tests as flaky\"", " - btrfs: fix double inode unlock for direct IO sync writes", " - perf/x86/intel/cstate: Switch to new Intel CPU model defines", " - perf/x86/intel/cstate: Add Arrowlake support", " - perf/x86/intel/cstate: Add Lunarlake support", " - perf/x86/intel/cstate: Add pkg C2 residency counter for Sierra Forest", " - platform/x86: intel-vbtn: Protect ACPI notify handler against recursion", " - perf/x86/amd: Use try_cmpxchg() in events/amd/{un,}core.c", " - perf/x86/intel: Support the PEBS event mask", " - perf/x86: Support counter mask", " - perf/x86: Fix smp_processor_id()-in-preemptible warnings", " - virtio-net: unbreak vq resizing when coalescing is not negotiated", " - net: dsa: microchip: Fix Wake-on-LAN check to not return an error", " - net: dsa: microchip: disable EEE for KSZ8567/KSZ9567/KSZ9896/KSZ9897.", " - regmap: kunit: Use a KUnit action to call regmap_exit()", " - regmap: kunit: Replace a kmalloc/kfree() pair with KUnit-managed alloc", " - regmap: kunit: Fix memory leaks in gen_regmap() and gen_raw_regmap()", " - debugobjects: Annotate racy debug variables", " - nvme: apple: fix device reference counting", " - cpufreq: amd-pstate: Allow users to write 'default' EPP string", " - cpufreq: amd-pstate: auto-load pstate driver by default", " - soc: qcom: icc-bwmon: Allow for interrupts to be shared across instances", " - ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MU", " - ACPI: resource: Skip IRQ override on Asus Vivobook Pro N6506MJ", " - thermal: intel: hfi: Give HFI instances package scope", " - wifi: ath12k: fix race due to setting ATH12K_FLAG_EXT_IRQ_ENABLED too early", " - wifi: rtlwifi: handle return value of usb init TX/RX", " - wifi: rtw89: pci: fix RX tag race condition resulting in wrong RX length", " - wifi: mac80211: fix NULL dereference at band check in starting tx ba session", " - bpf: add missing check_func_arg_reg_off() to prevent out-of-bounds memory", " accesses", " - mlxsw: pci: Lock configuration space of upstream bridge during reset", " - btrfs: do not BUG_ON() when freeing tree block after error", " - btrfs: reduce nesting for extent processing at btrfs_lookup_extent_info()", " - btrfs: fix data race when accessing the last_trans field of a root", " - drm/xe/preempt_fence: enlarge the fence critical section", " - drm/amd/display: Handle HPD_IRQ for internal link", " - drm/amd/amdkfd: Fix a resource leak in svm_range_validate_and_map()", " - drm/xe/xe_guc_submit: Fix exec queue stop race condition", " - drm/amd/display: Add null checks for 'stream' and 'plane' before", " dereferencing", " - drm/amd/display: Wake DMCUB before sending a command for replay feature", " - drm/amd/display: reduce ODM slice count to initial new dc state only when", " needed", " - of: Add cleanup.h based auto release via __free(device_node) markings", " - media: i2c: ov5647: replacing of_node_put with __free(device_node)", " - drm/amd/display: Fix null pointer deref in dcn20_resource.c", " - ext4: sanity check for NULL pointer after ext4_force_shutdown", " - mm, slub: do not call do_slab_free for kfence object", " - ASoC: cs35l56: Revert support for dual-ownership of ASP registers", " - drm/atomic: allow no-op FB_ID updates for async flips", " - drm/amd/display: Replace dm_execute_dmub_cmd with", " dc_wake_and_execute_dmub_cmd", " - drm/xe/rtp: Fix off-by-one when processing rules", " - drm/xe: Use dma_fence_chain_free in chain fence unused as a sync", " - drm/xe/hwmon: Fix PL1 disable flow in xe_hwmon_power_max_write", " - drm/xe: Move lrc snapshot capturing to xe_lrc.c", " - drm/xe: Minor cleanup in LRC handling", " - drm/test: fix the gem shmem test to map the sg table.", " - usb: typec: pd: no opencoding of FIELD_GET", " - usb: typec: fsa4480: Check if the chip is really there", " - PM: runtime: Simplify pm_runtime_get_if_active() usage", " - scsi: ufs: core: Fix deadlock during RTC update", " - serial: sc16is7xx: fix invalid FIFO access with special register set", " - tracing: Have format file honor EVENT_FILE_FL_FREED", " - mm: list_lru: fix UAF for memory cgroup", " - net/tcp: Disable TCP-AO static key after RCU grace period", " - Revert \"drm/amd/display: Handle HPD_IRQ for internal link\"", " - idpf: fix memleak in vport interrupt configuration", " - drm/amd/display: Add null check in resource_log_pipe_topology_update", " - Upstream stable to v6.6.46, v6.10.5", " * Noble update: upstream stable patchset 2024-10-02 (LP: #2083488)", " - sysctl: allow change system v ipc sysctls inside ipc namespace", " - sysctl: allow to change limits for posix messages queues", " - sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table)", " - ext4: factor out a common helper to query extent map", " - ext4: check the extent status again before inserting delalloc block", " - leds: trigger: Store brightness set by led_trigger_event()", " - leds: trigger: Call synchronize_rcu() before calling trig->activate()", " - KVM: VMX: Move posted interrupt descriptor out of VMX code", " - fbdev/vesafb: Replace references to global screen_info by local pointer", " - video: Add helpers for decoding screen_info", " - [Config] Update CONFIG_SCREEN_INFO", " - video: Provide screen_info_get_pci_dev() to find screen_info's PCI device", " - firmware/sysfb: Update screen_info for relocated EFI framebuffers", " - mm: page_alloc: control latency caused by zone PCP draining", " - mm/page_alloc: fix pcp->count race between drain_pages_zone() vs", " __rmqueue_pcplist()", " - f2fs: fix to avoid use SSR allocate when do defragment", " - f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid", " - dmaengine: fsl-edma: add address for channel mux register in fsl_edma_chan", " - dmaengine: fsl-edma: add i.MX8ULP edma support", " - perf: imx_perf: fix counter start and config sequence", " - MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a", " - MIPS: dts: loongson: Fix liointc IRQ polarity", " - MIPS: dts: loongson: Fix ls2k1000-rtc interrupt", " - ARM: 9406/1: Fix callchain_trace() return value", " - HID: amd_sfh: Move sensor discovery before HID device initialization", " - perf tool: fix dereferencing NULL al->maps", " - drm/nouveau: prime: fix refcount underflow", " - drm/vmwgfx: Fix overlay when using Screen Targets", " - drm/vmwgfx: Trigger a modeset when the screen moves", " - sched: act_ct: take care of padding in struct zones_ht_key", " - wifi: cfg80211: fix reporting failed MLO links status with", " cfg80211_connect_done", " - net: phy: realtek: add support for RTL8366S Gigabit PHY", " - ALSA: hda: conexant: Fix headset auto detect fail in the polling mode", " - Bluetooth: btintel: Fail setup on error", " - Bluetooth: hci_sync: Fix suspending with wrong filter policy", " - tcp: annotate data-races around tp->window_clamp", " - tcp: Adjust clamping window for applications specifying SO_RCVBUF", " - net: axienet: start napi before enabling Rx/Tx", " - rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in", " rtnl_dellink().", " - i915/perf: Remove code to update PWR_CLK_STATE for gen12", " - ice: respect netif readiness in AF_XDP ZC related ndo's", " - ice: don't busy wait for Rx queue disable in ice_qp_dis()", " - ice: replace synchronize_rcu with synchronize_net", " - ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog", " - drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro", " - net: mvpp2: Don't re-use loop iterator", " - net: phy: micrel: Fix the KSZ9131 MDI-X status issue", " - ALSA: hda: Conditionally use snooping for AMD HDMI", " - netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().", " - netfilter: iptables: Fix potential null-ptr-deref in", " ip6table_nat_table_init().", " - net/mlx5: Always drain health in shutdown callback", " - net/mlx5: Fix error handling in irq_pool_request_irq", " - net/mlx5: Lag, don't use the hardcoded value of the first port", " - net/mlx5: Fix missing lock on sync reset reload", " - net/mlx5e: Require mlx5 tc classifier action support for IPsec prio", " capability", " - net/mlx5e: Fix CT entry update leaks of modify header context", " - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys", " - igc: Fix double reset adapter triggered from a single taprio cmd", " - ipv6: fix ndisc_is_useropt() handling for PIO", " - perf: riscv: Fix selecting counters in legacy mode", " - riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()", " - riscv: Fix linear mapping checks for non-contiguous memory regions", " - arm64: jump_label: Ensure patched jump_labels are visible to all CPUs", " - rust: SHADOW_CALL_STACK is incompatible with Rust", " - platform/chrome: cros_ec_proto: Lock device when updating MKBP version", " - HID: wacom: Modify pen IDs", " - btrfs: zoned: fix zone_unusable accounting on making block group read-write", " again", " - btrfs: do not subtract delalloc from avail bytes", " - protect the fetch of ->fd[fd] in do_dup2() from mispredictions", " - mptcp: sched: check both directions for backup", " - ALSA: usb-audio: Correct surround channels in UAC1 channel map", " - ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G", " - ALSA: seq: ump: Optimize conversions from SysEx to UMP", " - Revert \"ALSA: firewire-lib: obsolete workqueue for period update\"", " - Revert \"ALSA: firewire-lib: operate for period elapse event in process", " context\"", " - drm/vmwgfx: Fix a deadlock in dma buf fence polling", " - drm/virtio: Fix type of dma-fence context variable", " - drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll()", " - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read", " - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY", " - mptcp: fix user-space PM announced address accounting", " - mptcp: distinguish rcv vs sent backup flag in requests", " - mptcp: fix NL PM announced address accounting", " - mptcp: mib: count MPJ with backup flag", " - mptcp: fix bad RCVPRUNED mib accounting", " - mptcp: pm: only set request_bkup flag when sending MP_PRIO", " - mptcp: fix duplicate data handling", " - selftests: mptcp: always close input's FD if opened", " - selftests: mptcp: join: validate backup in MPJ", " - selftests: mptcp: join: check backup support in signal endp", " - mm/huge_memory: mark racy access onhuge_anon_orders_always", " - mm: fix khugepaged activation policy", " - x86/cpu/vfm: Add/initialize x86_vfm field to struct cpuinfo_x86", " - perf/x86/intel: Switch to new Intel CPU model defines", " - perf/x86/intel: Add a distinct name for Granite Rapids", " - drm/gpuvm: fix missing dependency to DRM_EXEC", " - netlink: specs: correct the spec of ethtool", " - ethtool: rss: echo the context number back", " - wifi: cfg80211: correct S1G beacon length calculation", " - ethtool: fix setting key and resetting indir at once", " - ice: modify error handling when setting XSK pool in ndo_bpf", " - ice: toggle netif_carrier when setting up XSK pool", " - ice: improve updating ice_{t,r}x_ring::xsk_pool", " - ice: xsk: fix txq interrupt mapping", " - drm/atomic: Allow userspace to use explicit sync with atomic async flips", " - drm/atomic: Allow userspace to use damage clips with async flips", " - riscv/purgatory: align riscv_kernel_entry", " - perf arch events: Fix duplicate RISC-V SBI firmware event name", " - RISC-V: Enable the IPI before workqueue_online_cpu()", " - ceph: force sending a cap update msg back to MDS for revoke op", " - drm/vmwgfx: Remove unused code", " - drm/vmwgfx: Fix handling of dumb buffers", " - drm/v3d: Prevent out of bounds access in performance query extensions", " - drm/v3d: Fix potential memory leak in the timestamp extension", " - drm/v3d: Fix potential memory leak in the performance extension", " - drm/v3d: Validate passed in drm syncobj handles in the timestamp extension", " - drm/v3d: Validate passed in drm syncobj handles in the performance extension", " - nouveau: set placement to original placement on uvmm validate.", " - wifi: ath12k: fix soft lockup on suspend", " - mptcp: pm: fix backup support in signal endpoints", " - selftests: mptcp: fix error path", " - Upstream stable to v6.6.45, v6.10.4", " * [SRU] Fix AST DP output after resume (LP: #2083022) // Noble update:", " upstream stable patchset 2024-10-02 (LP: #2083488)", " - drm/ast: astdp: Wake up during connector status detection", " - drm/ast: Fix black screen after resume", " * [SRU]Fail to locate the LED of NVME disk behind Intel VMD (LP: #2077287) //", " Noble update: upstream stable patchset 2024-10-02 (LP: #2083488)", " - PCI: pciehp: Retain Power Indicator bits for userspace indicators", " * Noble update: upstream stable patchset 2024-09-30 (LP: #2083196)", " - powerpc/configs: Update defconfig with now user-visible CONFIG_FSL_IFC", " - spi: spi-microchip-core: Fix the number of chip selects supported", " - spi: atmel-quadspi: Add missing check for clk_prepare", " - EDAC, i10nm: make skx_common.o a separate module", " - rcu/tasks: Fix stale task snaphot for Tasks Trace", " - platform/chrome: cros_ec_debugfs: fix wrong EC message version", " - ubd: refactor the interrupt handler", " - ubd: untagle discard vs write zeroes not support handling", " - block: initialize integrity buffer to zero before writing it to media", " - x86/kconfig: Add as-instr64 macro to properly evaluate AS_WRUSS", " - hfsplus: fix to avoid false alarm of circular locking", " - x86/of: Return consistent error type from x86_of_pci_irq_enable()", " - x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling", " - x86/pci/xen: Fix PCIBIOS_* return code handling", " - x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos", " - cgroup/cpuset: Prevent UAF in proc_cpuset_show()", " - hwmon: (adt7475) Fix default duty on fan is disabled", " - block: Call .limit_depth() after .hctx has been set", " - block/mq-deadline: Fix the tag reservation code", " - md: Don't wait for MD_RECOVERY_NEEDED for HOT_REMOVE_DISK ioctl", " - pwm: stm32: Always do lazy disabling", " - nvmet-auth: fix nvmet_auth hash error handling", " - drm/meson: fix canvas release in bind function", " - pwm: atmel-tcb: Fix race condition and convert to guards", " - hwmon: (max6697) Fix underflow when writing limit attributes", " - hwmon: (max6697) Fix swapped temp{1,8} critical alarms", " - arm64: dts: qcom: sc8180x: Correct PCIe slave ports", " - arm64: dts: qcom: sc8180x: add power-domain to UFS PHY", " - arm64: dts: qcom: sdm845: add power-domain to UFS PHY", " - arm64: dts: qcom: sm6115: add power-domain to UFS PHY", " - arm64: dts: qcom: sm6350: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8250: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8350: add power-domain to UFS PHY", " - arm64: dts: qcom: sm8450: add power-domain to UFS PHY", " - arm64: dts: qcom: msm8996-xiaomi-common: drop excton from the USB PHY", " - arm64: dts: qcom: sdm850-lenovo-yoga-c630: fix IPA firmware path", " - arm64: dts: qcom: msm8998: enable adreno_smmu by default", " - soc: qcom: pmic_glink: Handle the return value of pmic_glink_init", " - soc: qcom: rpmh-rsc: Ensure irqs aren't disabled by rpmh_rsc_send_data()", " callers", " - arm64: dts: rockchip: Add sdmmc related properties on rk3308-rock-pi-s", " - arm64: dts: rockchip: Add pinctrl for UART0 to rk3308-rock-pi-s", " - arm64: dts: rockchip: Add mdio and ethernet-phy nodes to rk3308-rock-pi-s", " - arm64: dts: rockchip: Update WIFi/BT related nodes on rk3308-rock-pi-s", " - arm64: dts: qcom: msm8996: specify UFS core_clk frequencies", " - arm64: dts: qcom: sa8775p: mark ethernet devices as DMA-coherent", " - soc: xilinx: rename cpu_number1 to dummy_cpu_number", " - ARM: dts: sunxi: remove duplicated entries in makefile", " - ARM: dts: stm32: Add arm,no-tick-in-suspend to STM32MP15xx STGEN timer", " - arm64: dts: qcom: qrb4210-rb2: make L9A always-on", " - cpufreq: ti-cpufreq: Handle deferred probe with dev_err_probe()", " - OPP: ti: Fix ti_opp_supply_probe wrong return values", " - memory: fsl_ifc: Make FSL_IFC config visible and selectable", " - arm64: dts: ti: k3-am62x: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am625-beagleplay: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62-verdin: Drop McASP AFIFOs", " - arm64: dts: qcom: qdu1000: Add secure qfprom node", " - soc: qcom: icc-bwmon: Fix refcount imbalance seen during bwmon_remove", " - soc: qcom: pdr: protect locator_addr with the main mutex", " - soc: qcom: pdr: fix parsing of domains lists", " - arm64: dts: rockchip: Increase VOP clk rate on RK3328", " - arm64: dts: amlogic: sm1: fix spdif compatibles", " - ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode", " - ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix board reset", " - ARM: dts: imx6qdl-kontron-samx6i: fix SPI0 chip selects", " - ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity", " - arm64: dts: mediatek: mt8195: Fix GPU thermal zone name for SVS", " - arm64: dts: mediatek: mt8183-kukui: Drop bogus output-enable property", " - arm64: dts: mediatek: mt8192-asurada: Add off-on-delay-us for", " pp3300_mipibrdg", " - arm64: dts: mediatek: mt7622: fix \"emmc\" pinctrl mux", " - arm64: dts: mediatek: mt8183-kukui: Fix the value of `dlg,jack-det-rate`", " mismatch", " - arm64: dts: mediatek: mt8183-kukui-jacuzzi: Add ports node for anx7625", " - arm64: dts: amlogic: gx: correct hdmi clocks", " - arm64: dts: amlogic: add power domain to hdmitx", " - arm64: dts: amlogic: setup hdmi system clock", " - arm64: dts: rockchip: Drop invalid mic-in-differential on rk3568-rock-3a", " - arm64: dts: rockchip: Fix mic-in-differential usage on rk3566-roc-pc", " - arm64: dts: rockchip: Fix mic-in-differential usage on rk3568-evb1-v10", " - arm64: dts: renesas: r8a779a0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r8a779f0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r8a779g0: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g043u: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g044: Add missing hypervisor virtual timer IRQ", " - arm64: dts: renesas: r9a07g054: Add missing hypervisor virtual timer IRQ", " - m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages", " - arm64: dts: imx8mp: Fix pgc_mlmix location", " - arm64: dts: imx8mp: add HDMI power-domains", " - arm64: dts: imx8mp: Fix pgc vpu locations", " - x86/xen: Convert comma to semicolon", " - arm64: dts: rockchip: Add missing power-domains for rk356x vop_mmu", " - arm64: dts: rockchip: fix regulator name for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fix usb regulator for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fix pmu_io supply for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: remove unused usb2 nodes for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: disable display subsystem for Lunzn Fastrhino R6xS", " - arm64: dts: rockchip: fixes PHY reset for Lunzn Fastrhino R68S", " - arm64: dts: qcom: sm6350: Add missing qcom,non-secure-domain property", " - cpufreq/amd-pstate: Fix the scaling_max_freq setting on shared memory CPPC", " systems", " - m68k: cmpxchg: Fix return value for default case in __arch_xchg()", " - ARM: spitz: fix GPIO assignment for backlight", " - vmlinux.lds.h: catch .bss..L* sections into BSS\")", " - firmware: turris-mox-rwtm: Do not complete if there are no waiters", " - firmware: turris-mox-rwtm: Fix checking return value of", " wait_for_completion_timeout()", " - firmware: turris-mox-rwtm: Initialize completion before mailbox", " - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device", " - wifi: ath12k: Correct 6 GHz frequency value in rx status", " - wifi: ath12k: Fix tx completion ring (WBM2SW) setup failure", " - bpftool: Un-const bpf_func_info to fix it for llvm 17 and newer", " - selftests/bpf: Fix prog numbers in test_sockmap", " - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP", " - wifi: ath12k: change DMA direction while mapping reinjected packets", " - wifi: ath12k: fix invalid memory access while processing fragmented packets", " - wifi: ath12k: fix firmware crash during reo reinject", " - wifi: ath11k: fix wrong definition of CE ring's base address", " - wifi: ath12k: fix wrong definition of CE ring's base address", " - tcp: add tcp_done_with_error() helper", " - tcp: fix race in tcp_write_err()", " - tcp: fix races in tcp_v[46]_err()", " - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when", " CONFIG_ARCH_NO_SG_CHAIN is defined", " - selftests/bpf: Check length of recv in test_sockmap", " - udf: Fix lock ordering in udf_evict_inode()", " - lib: objagg: Fix general protection fault", " - mlxsw: spectrum_acl_erp: Fix object nesting warning", " - mlxsw: spectrum_acl: Fix ACL scale regression and firmware errors", " - perf/x86: Serialize set_attr_rdpmc()", " - jump_label: Fix concurrency issues in static_key_slow_dec()", " - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers", " - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()", " - wifi: cfg80211: handle 2x996 RU allocation in", " cfg80211_calculate_bitrate_he()", " - udf: Fix bogus checksum computation in udf_rename()", " - net: fec: Refactor: #define magic constants", " - net: fec: Fix FEC_ECR_EN1588 being cleared on link-down", " - libbpf: Checking the btf_type kind when fixing variable offsets", " - xfrm: Fix unregister netdevice hang on hardware offload.", " - ipvs: Avoid unnecessary calls to skb_is_gso_sctp", " - netfilter: nf_tables: rise cap on SELinux secmark context", " - wifi: rtw89: 8852b: fix definition of KIP register number", " - wifi: rtl8xxxu: 8188f: Limit TX power index", " - xfrm: Export symbol xfrm_dev_state_delete.", " - bpftool: Mount bpffs when pinmaps path not under the bpffs", " - perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation", " - perf: Fix perf_aux_size() for greater-than 32-bit size", " - perf: Prevent passing zero nr_pages to rb_alloc_aux()", " - perf: Fix default aux_watermark calculation", " - perf/x86/intel/cstate: Fix Alderlake/Raptorlake/Meteorlake", " - wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()", " - xfrm: fix netdev reference count imbalance", " - xfrm: call xfrm_dev_policy_delete when kill policy", " - wifi: virt_wifi: avoid reporting connection success with wrong SSID", " - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey", " - wifi: virt_wifi: don't use strlen() in const context", " - locking/rwsem: Add __always_inline annotation to __down_write_common() and", " inlined callers", " - selftests/bpf: Close fd in error path in drop_on_reuseport", " - selftests/bpf: Null checks for links in bpf_tcp_ca", " - selftests/bpf: Close obj in error path in xdp_adjust_tail", " - selftests/resctrl: Convert perror() to ksft_perror() or ksft_print_msg()", " - selftests/resctrl: Fix closing IMC fds on error and open-code R+W instead of", " loops", " - bpf: annotate BTF show functions with __printf", " - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures", " - bpf: Eliminate remaining \"make W=1\" warnings in kernel/bpf/btf.o", " - bpf: Fix null pointer dereference in resolve_prog_type() for", " BPF_PROG_TYPE_EXT", " - selftests: forwarding: devlink_lib: Wait for udev events after reloading", " - Bluetooth: hci_bcm4377: Use correct unit for timeouts", " - Bluetooth: btintel: Refactor btintel_set_ppag()", " - Bluetooth: btnxpuart: Add handling for boot-signature timeout errors", " - xdp: fix invalid wait context of page_pool_destroy()", " - net: bridge: mst: Check vlan state for egress decision", " - drm/rockchip: vop2: Fix the port mux of VP2", " - drm/arm/komeda: Fix komeda probe failing if there are no links in the", " secondary pipeline", " - drm/amdkfd: Fix CU Masking for GFX 9.4.3", " - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_dcs_write_seq()", " - drm/mipi-dsi: Fix theoretical int overflow in mipi_dsi_generic_write_seq()", " - drm/amd/pm: Fix aldebaran pcie speed reporting", " - drm/amdgpu: Fix memory range calculation", " - drm/amdgpu: Check if NBIO funcs are NULL in amdgpu_device_baco_exit", " - drm/amdgpu: Remove GC HW IP 9.3.0 from noretry=1", " - drm/panel: himax-hx8394: Handle errors from mipi_dsi_dcs_set_display_on()", " better", " - drm/panel: boe-tv101wum-nl6: If prepare fails, disable GPIO before", " regulators", " - drm/panel: boe-tv101wum-nl6: Check for errors on the NOP in prepare()", " - drm/bridge: Fixed a DP link training bug", " - drm/bridge: it6505: fix hibernate to resume no display issue", " - media: pci: ivtv: Add check for DMA map result", " - media: imon: Fix race getting ictx->lock", " - media: i2c: Fix imx412 exposure control", " - media: v4l: async: Fix NULL pointer dereference in adding ancillary links", " - s390/mm: Convert make_page_secure to use a folio", " - s390/mm: Convert gmap_make_secure to use a folio", " - s390/uv: Don't call folio_wait_writeback() without a folio reference", " - media: mediatek: vcodec: Handle invalid decoder vsi", " - x86/shstk: Make return uprobe work with shadow stack", " - ipmi: ssif_bmc: prevent integer overflow on 32bit systems", " - saa7134: Unchecked i2c_transfer function result fixed", " - media: i2c: imx219: fix msr access command sequence", " - media: uvcvideo: Disable autosuspend for Insta360 Link", " - media: uvcvideo: Quirk for invalid dev_sof in Logitech C922", " - media: uvcvideo: Add quirk for invalid dev_sof in Logitech C920", " - media: uvcvideo: Override default flags", " - drm: zynqmp_dpsub: Fix an error handling path in zynqmp_dpsub_probe()", " - drm: zynqmp_kms: Fix AUX bus not getting unregistered", " - media: rcar-vin: Fix YUYV8_1X16 handling for CSI-2", " - media: rcar-csi2: Disable runtime_pm in probe error", " - media: rcar-csi2: Cleanup subdevice in remove()", " - media: renesas: vsp1: Fix _irqsave and _irq mix", " - media: renesas: vsp1: Store RPF partition configuration per RPF instance", " - drm/mediatek: Add missing plane settings when async update", " - drm/mediatek: Use 8-bit alpha in ETHDR", " - drm/mediatek: Fix XRGB setting error in OVL", " - drm/mediatek: Fix XRGB setting error in Mixer", " - drm/mediatek: Fix destination alpha error in OVL", " - drm/mediatek: Turn off the layers with zero width or height", " - drm/mediatek: Add OVL compatible name for MT8195", " - media: imx-jpeg: Drop initial source change event if capture has been setup", " - leds: trigger: Unregister sysfs attributes before calling deactivate()", " - drm/msm/dsi: set VIDEO_COMPRESSION_MODE_CTRL_WC", " - drm/msm/dpu: drop validity checks for clear_pending_flush() ctl op", " - perf test: Make test_arm_callgraph_fp.sh more robust", " - perf pmus: Fixes always false when compare duplicates aliases", " - perf report: Fix condition in sort__sym_cmp()", " - drm/etnaviv: fix DMA direction handling for cached RW buffers", " - drm/qxl: Add check for drm_cvt_mode", " - Revert \"leds: led-core: Fix refcount leak in of_led_get()\"", " - drm/mediatek: Remove less-than-zero comparison of an unsigned value", " - ext4: fix infinite loop when replaying fast_commit", " - drm/mediatek/dp: switch to ->edid_read callback", " - drm/mediatek/dp: Fix spurious kfree()", " - media: venus: flush all buffers in output plane streamoff", " - perf intel-pt: Fix aux_watermark calculation for 64-bit size", " - perf intel-pt: Fix exclude_guest setting", " - mfd: rsmu: Split core code into separate module", " - mfd: omap-usb-tll: Use struct_size to allocate tll", " - xprtrdma: Fix rpcrdma_reqs_reset()", " - SUNRPC: avoid soft lockup when transmitting UDP to reachable server.", " - NFSv4.1 another fix for EXCHGID4_FLAG_USE_PNFS_DS for DS server", " - ext4: don't track ranges in fast_commit if inode has inlined data", " - ext4: avoid writing unitialized memory to disk in EA inodes", " - leds: flash: leds-qcom-flash: Test the correct variable in init", " - sparc64: Fix incorrect function signature and add prototype for", " prom_cif_init", " - SUNRPC: Fixup gss_status tracepoint error output", " - iio: Fix the sorting functionality in iio_gts_build_avail_time_table", " - PCI: Fix resource double counting on remove & rescan", " - PCI: keystone: Relocate ks_pcie_set/clear_dbi_mode()", " - PCI: keystone: Don't enable BAR 0 for AM654x", " - PCI: keystone: Fix NULL pointer dereference in case of DT error in", " ks_pcie_setup_rc_app_regs()", " - PCI: rcar: Demote WARN() to dev_warn_ratelimited() in rcar_pcie_wakeup()", " - scsi: ufs: mcq: Fix missing argument 'hba' in MCQ_OPR_OFFSET_n", " - clk: qcom: gcc-sc7280: Update force mem core bit for UFS ICE clock", " - clk: qcom: camcc-sc7280: Add parent dependency to all camera GDSCs", " - iio: frequency: adrf6780: rm clk provider include", " - coresight: Fix ref leak when of_coresight_parse_endpoint() fails", " - RDMA/mlx5: Set mkeys for dmabuf at PAGE_SIZE", " - ASoc: tas2781: Enable RCA-based playback without DSP firmware download", " - ASoC: cs35l56: Accept values greater than 0 as IRQ numbers", " - usb: typec-mux: nb7vpq904m: unregister typec switch on probe error and", " remove", " - RDMA/cache: Release GID table even if leak is detected", " - clk: qcom: gpucc-sm8350: Park RCG's clk source at XO during disable", " - clk: qcom: gcc-sa8775p: Update the GDSC wait_val fields and flags", " - clk: qcom: gpucc-sa8775p: Remove the CLK_IS_CRITICAL and ALWAYS_ON flags", " - clk: qcom: gpucc-sa8775p: Park RCG's clk source at XO during disable", " - clk: qcom: gpucc-sa8775p: Update wait_val fields for GPU GDSC's", " - interconnect: qcom: qcm2290: Fix mas_snoc_bimc RPM master ID", " - Input: qt1050 - handle CHIP_ID reading error", " - RDMA/mlx4: Fix truncated output warning in mad.c", " - RDMA/mlx4: Fix truncated output warning in alias_GUID.c", " - RDMA/mlx5: Use sq timestamp as QP timestamp when RoCE is disabled", " - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs", " - ASoC: qcom: Adjust issues in case of DT error in", " asoc_qcom_lpass_cpu_platform_probe()", " - scsi: lpfc: Fix a possible null pointer dereference", " - hwrng: core - Fix wrong quality calculation at hw rng registration", " - powerpc/prom: Add CPU info to hardware description string later", " - ASoC: max98088: Check for clk_prepare_enable() error", " - mtd: make mtd_test.c a separate module", " - RDMA/device: Return error earlier if port in not valid", " - Input: elan_i2c - do not leave interrupt disabled on suspend failure", " - ASoC: amd: Adjust error handling in case of absent codec device", " - PCI: endpoint: Clean up error handling in vpci_scan_bus()", " - PCI: endpoint: Fix error handling in epf_ntb_epc_cleanup()", " - vhost/vsock: always initialize seqpacket_allow", " - net: missing check virtio", " - nvmem: rockchip-otp: set add_legacy_fixed_of_cells config option", " - crypto: qat - extend scope of lock in adf_cfg_add_key_value_param()", " - clk: qcom: kpss-xcc: Return of_clk_add_hw_provider to transfer the error", " - clk: qcom: Park shared RCGs upon registration", " - clk: en7523: fix rate divider for slic and spi clocks", " - MIPS: Octeron: remove source file executable bit", " - PCI: qcom-ep: Disable resources unconditionally during PERST# assert", " - PCI: dwc: Fix index 0 incorrectly being interpreted as a free ATU slot", " - powerpc/xmon: Fix disassembly CPU feature checks", " - macintosh/therm_windtunnel: fix module unload.", " - RDMA/hns: Check atomic wr length", " - RDMA/hns: Fix unmatch exception handling when init eq table fails", " - RDMA/hns: Fix missing pagesize and alignment check in FRMR", " - RDMA/hns: Fix shift-out-bounds when max_inline_data is 0", " - RDMA/hns: Fix undifined behavior caused by invalid max_sge", " - RDMA/hns: Fix insufficient extend DB for VFs.", " - iommu/vt-d: Fix identity map bounds in si_domain_init()", " - RDMA/core: Remove NULL check before dev_{put, hold}", " - RDMA: Fix netdev tracker in ib_device_set_netdev", " - bnxt_re: Fix imm_data endianness", " - netfilter: ctnetlink: use helper function to calculate expect ID", " - netfilter: nf_set_pipapo: fix initial map fill", " - ipvs: properly dereference pe in ip_vs_add_service", " - gve: Fix XDP TX completion handling when counters overflow", " - net: flow_dissector: use DEBUG_NET_WARN_ON_ONCE", " - ipv4: Fix incorrect TOS in route get reply", " - ipv4: Fix incorrect TOS in fibmatch route get reply", " - net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports", " - net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports", " - fs/ntfs3: Merge synonym COMPRESSION_UNIT and NTFS_LZNT_CUNIT", " - fs/ntfs3: Fix transform resident to nonresident for compressed files", " - fs/ntfs3: Deny getting attr data block in compressed frame", " - fs/ntfs3: Missed NI_FLAG_UPDATE_PARENT setting", " - fs/ntfs3: Fix getting file type", " - fs/ntfs3: Add missing .dirty_folio in address_space_operations", " - pinctrl: rockchip: update rk3308 iomux routes", " - pinctrl: core: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: single: fix possible memory leak when pinctrl_enable() fails", " - pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()", " fails", " - pinctrl: freescale: mxs: Fix refcount of child", " - fs/ntfs3: Replace inode_trylock with inode_lock", " - fs/ntfs3: Correct undo if ntfs_create_inode failed", " - fs/ntfs3: Drop stray '\\' (backslash) in formatting string", " - fs/ntfs3: Fix field-spanning write in INDEX_HDR", " - pinctrl: renesas: r8a779g0: Fix CANFD5 suffix", " - pinctrl: renesas: r8a779g0: Fix FXR_TXEN[AB] suffixes", " - pinctrl: renesas: r8a779g0: Fix (H)SCIF1 suffixes", " - pinctrl: renesas: r8a779g0: Fix (H)SCIF3 suffixes", " - pinctrl: renesas: r8a779g0: Fix IRQ suffixes", " - pinctrl: renesas: r8a779g0: FIX PWM suffixes", " - pinctrl: renesas: r8a779g0: Fix TCLK suffixes", " - pinctrl: renesas: r8a779g0: Fix TPU suffixes", " - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP", " - fs/proc/task_mmu.c: add_to_pagemap: remove useless parameter addr", " - fs/proc/task_mmu: don't indicate PM_MMAP_EXCLUSIVE without PM_PRESENT", " - fs/proc/task_mmu: properly detect PM_MMAP_EXCLUSIVE per page of PMD-mapped", " THPs", " - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro", " - rtc: interface: Add RTC offset to alarm after fix-up", " - fs/ntfs3: Fix the format of the \"nocase\" mount option", " - fs/ntfs3: Missed error return", " - fs/ntfs3: Keep runs for $MFT::$ATTR_DATA and $MFT::$ATTR_BITMAP", " - powerpc/8xx: fix size given to set_huge_pte_at()", " - s390/dasd: fix error checks in dasd_copy_pair_store()", " - sbitmap: use READ_ONCE to access map->word", " - sbitmap: fix io hung due to race on sbitmap_word::cleared", " - LoongArch: Check TIF_LOAD_WATCH to enable user space watchpoint", " - landlock: Don't lose track of restrictions on cred_transfer", " - hugetlb: force allocating surplus hugepages on mempolicy allowed nodes", " - mm/hugetlb: fix possible recursive locking detected warning", " - mm/mglru: fix div-by-zero in vmpressure_calc_level()", " - mm: mmap_lock: replace get_memcg_path_buf() with on-stack buffer", " - mm/mglru: fix overshooting shrinker memory", " - x86/efistub: Avoid returning EFI_SUCCESS on error", " - x86/efistub: Revert to heap allocated boot_params for PE entrypoint", " - exfat: fix potential deadlock on __exfat_get_dentry_set", " - dt-bindings: thermal: correct thermal zone node name limit", " - tick/broadcast: Make takeover of broadcast hrtimer reliable", " - net: netconsole: Disable target before netpoll cleanup", " - af_packet: Handle outgoing VLAN packets without hardware offloading", " - btrfs: fix extent map use-after-free when adding pages to compressed bio", " - kernel: rerun task_work while freezing in get_signal()", " - ipv4: fix source address selection with route leak", " - ipv6: take care of scope when choosing the src addr", " - NFSD: Support write delegations in LAYOUTGET", " - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE", " tasks", " - fuse: verify {g,u}id mount options correctly", " - ata: libata-scsi: Fix offsets for the fixed format sense data", " - char: tpm: Fix possible memory leak in tpm_bios_measurements_open()", " - media: venus: fix use after free in vdec_close", " - ata: libata-scsi: Do not overwrite valid sense data when CK_COND=1", " - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()", " - ext2: Verify bitmap and itable block numbers before using them", " - io_uring/io-wq: limit retrying worker initialisation", " - drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes", " - drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes", " - scsi: qla2xxx: Fix optrom version displayed in FDMI", " - drm/amd/display: Check for NULL pointer", " - apparmor: use kvfree_sensitive to free data->data", " - cifs: fix potential null pointer use in destroy_workqueue in init_cifs error", " path", " - cifs: fix reconnect with SMB1 UNIX Extensions", " - cifs: mount with \"unix\" mount option for SMB1 incorrectly handled", " - task_work: s/task_work_cancel()/task_work_cancel_func()/", " - task_work: Introduce task_work_cancel() again", " - udf: Avoid using corrupted block bitmap buffer", " - m68k: amiga: Turn off Warp1260 interrupts during boot", " - ext4: check dot and dotdot of dx_root before making dir indexed", " - ext4: make sure the first directory block is not a hole", " - io_uring: tighten task exit cancellations", " - trace/pid_list: Change gfp flags in pid_list_fill_irq()", " - selftests/landlock: Add cred_transfer test", " - wifi: mwifiex: Fix interface type change", " - wifi: rtw88: usb: Fix disconnection after beacon loss", " - drivers: soc: xilinx: check return status of get_api_version()", " - leds: ss4200: Convert PCIBIOS_* return codes to errnos", " - leds: mt6360: Fix memory leak in mt6360_init_isnk_properties()", " - media: imx-pxp: Fix ERR_PTR dereference in pxp_probe()", " - jbd2: make jbd2_journal_get_max_txn_bufs() internal", " - jbd2: precompute number of transaction descriptor blocks", " - jbd2: avoid infinite transaction commit loop", " - media: uvcvideo: Fix integer overflow calculating timestamp", " - KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked()", " - KVM: nVMX: Request immediate exit iff pending nested event needs injection", " - ALSA: ump: Don't update FB name for static blocks", " - ALSA: ump: Force 1 Group for MIDI1 FBs", " - ALSA: usb-audio: Fix microphone sound on HD webcam.", " - ALSA: usb-audio: Move HD Webcam quirk to the right place", " - ALSA: usb-audio: Add a quirk for Sonix HD USB Camera", " - tools/memory-model: Fix bug in lock.cat", " - hwrng: amd - Convert PCIBIOS_* return codes to errnos", " - parisc: Fix warning at drivers/pci/msi/msi.h:121", " - PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN", " - PCI: dw-rockchip: Fix initial PERST# GPIO value", " - PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio", " - PCI: loongson: Enable MSI in LS7A Root Complex", " - binder: fix hang of unregistered readers", " - hostfs: fix dev_t handling", " - efi/libstub: Zero initialize heap allocated struct screen_info", " - fs/ntfs3: Update log->page_{mask,bits} if log->page_size changed", " - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds", " - ASoC: fsl: fsl_qmc_audio: Check devm_kasprintf() returned value", " - f2fs: fix to force buffered IO on inline_data inode", " - f2fs: fix to don't dirty inode for readonly filesystem", " - f2fs: fix return value of f2fs_convert_inline_inode()", " - f2fs: use meta inode for GC of atomic file", " - f2fs: use meta inode for GC of COW file", " - clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use", " - ubi: eba: properly rollback inside self_check_eba", " - block: fix deadlock between sd_remove & sd_release", " - mm: fix old/young bit handling in the faulting path", " - decompress_bunzip2: fix rare decompression failure", " - kbuild: Fix '-S -c' in x86 stack protector scripts", " - ASoC: SOF: ipc4-topology: Preserve the DMA Link ID for ChainDMA on unprepare", " - ASoC: amd: yc: Support mic on Lenovo Thinkpad E16 Gen 2", " - kobject_uevent: Fix OOB access within zap_modalias_env()", " - gve: Fix an edge case for TSO skb validity check", " - ice: Add a per-VF limit on number of FDIR filters", " - devres: Fix devm_krealloc() wasting memory", " - devres: Fix memory leakage caused by driver API devm_free_percpu()", " - irqdomain: Fixed unbalanced fwnode get and put", " - irqchip/imx-irqsteer: Handle runtime power management correctly", " - mm/numa_balancing: teach mpol_to_str about the balancing mode", " - rtc: cmos: Fix return value of nvmem callbacks", " - scsi: lpfc: Allow DEVICE_RECOVERY mode after RSCN receipt if in PRLI_ISSUE", " state", " - scsi: qla2xxx: During vport delete send async logout explicitly", " - scsi: qla2xxx: Unable to act on RSCN for port online", " - scsi: qla2xxx: Fix for possible memory corruption", " - scsi: qla2xxx: Use QP lock to search for bsg", " - scsi: qla2xxx: Reduce fabric scan duplicate code", " - scsi: qla2xxx: Fix flash read failure", " - scsi: qla2xxx: Complete command early within lock", " - scsi: qla2xxx: validate nvme_local_port correctly", " - perf: Fix event leak upon exit", " - perf: Fix event leak upon exec and file release", " - perf stat: Fix the hard-coded metrics calculation on the hybrid", " - perf/x86/intel/uncore: Fix the bits of the CHA extended umask for SPR", " - perf/x86/intel/ds: Fix non 0 retire latency on Raptorlake", " - perf/x86/intel/pt: Fix topa_entry base length", " - perf/x86/intel/pt: Fix a topa_entry base address calculation", " - drm/i915/gt: Do not consider preemption during execlists_dequeue for gen8", " - drm/amdgpu/sdma5.2: Update wptr registers as well as doorbell", " - drm/udl: Remove DRM_CONNECTOR_POLL_HPD", " - drm/dp_mst: Fix all mstb marked as not probed after suspend/resume", " - drm/amdgpu: reset vm state machine after gpu reset(vram lost)", " - drm/amd/amdgpu: Fix uninitialized variable warnings", " - drm/i915/dp: Reset intel_dp->link_trained before retraining the link", " - drm/i915/dp: Don't switch the LTTPR mode on an active link", " - rtc: isl1208: Fix return value of nvmem callbacks", " - rtc: abx80x: Fix return value of nvmem callback on read", " - watchdog/perf: properly initialize the turbo mode timestamp and rearm", " counter", " - platform: mips: cpu_hwmon: Disable driver on unsupported hardware", " - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs", " - selftests/sigaltstack: Fix ppc64 GCC build", " - dm-verity: fix dm_is_verity_target() when dm-verity is builtin", " - rbd: don't assume rbd_is_lock_owner() for exclusive mappings", " - remoteproc: stm32_rproc: Fix mailbox interrupts queuing", " - remoteproc: imx_rproc: Skip over memory region when node value is NULL", " - remoteproc: imx_rproc: Fix refcount mistake in imx_rproc_addr_init", " - MIPS: dts: loongson: Add ISA node", " - MIPS: ip30: ip30-console: Add missing include", " - MIPS: dts: loongson: Fix GMAC phy node", " - MIPS: Loongson64: env: Hook up Loongsson-2K", " - MIPS: Loongson64: Remove memory node for builtin-dtb", " - MIPS: Loongson64: reset: Prioritise firmware service", " - MIPS: Loongson64: Test register availability before use", " - drm/etnaviv: don't block scheduler when GPU is still active", " - drm/panfrost: Mark simple_ondemand governor as softdep", " - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait", " - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings", " - lib/build_OID_registry: don't mention the full path of the script in output", " - video: logo: Drop full path of the input filename in generated file", " - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables", " - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591", " - minmax: scsi: fix mis-use of 'clamp()' in sr.c", " - mm/mglru: fix ineffective protection calculation", " - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal", " - f2fs: fix to truncate preallocated blocks in f2fs_file_open()", " - kdb: address -Wformat-security warnings", " - kdb: Use the passed prompt in kdb_position_cursor()", " - dmaengine: ti: k3-udma: Fix BCHAN count with UHC and HC channels", " - phy: cadence-torrent: Check return value on register read", " - phy: zynqmp: Enable reference clock correctly", " - um: time-travel: fix time-travel-start option", " - um: time-travel: fix signal blocking race/hang", " - f2fs: fix start segno of large section", " - watchdog: rzg2l_wdt: Use pm_runtime_resume_and_get()", " - watchdog: rzg2l_wdt: Check return status of pm_runtime_put()", " - f2fs: fix to update user block counts in block_operations()", " - kbuild: avoid build error when single DTB is turned into composite DTB", " - selftests/bpf: fexit_sleep: Fix stack allocation for arm64", " - libbpf: Fix no-args func prototype BTF dumping syntax", " - af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash", " - dma: fix call order in dmam_free_coherent", " - bpf, events: Use prog to emit ksymbol event for main program", " - tools/resolve_btfids: Fix comparison of distinct pointer types warning in", " resolve_btfids", " - MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later", " - ipv4: Fix incorrect source address in Record Route option", " - net: bonding: correctly annotate RCU in bond_should_notify_peers()", " - ice: Fix recipe read procedure", " - netfilter: nft_set_pipapo_avx2: disable softinterrupts", " - net: stmmac: Correct byte order of perfect_match", " - net: nexthop: Initialize all fields in dumped nexthops", " - bpf: Fix a segment issue when downgrading gso_size", " - apparmor: Fix null pointer deref when receiving skb during sock creation", " - powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()", " - lirc: rc_dev_get_from_fd(): fix file leak", " - auxdisplay: ht16k33: Drop reference after LED registration", " - ASoC: SOF: imx8m: Fix DSP control regmap retrieval", " - spi: microchip-core: fix the issues in the isr", " - spi: microchip-core: defer asserting chip select until just before write to", " TX FIFO", " - spi: microchip-core: only disable SPI controller when register value change", " requires it", " - spi: microchip-core: fix init function not setting the master and motorola", " modes", " - spi: microchip-core: ensure TX and RX FIFOs are empty at start of a transfer", " - nvme-pci: Fix the instructions for disabling power management", " - ASoC: sof: amd: fix for firmware reload failure in Vangogh platform", " - spi: spidev: add correct compatible for Rohm BH2228FV", " - ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable", " - ASoC: TAS2781: Fix tasdev_load_calibrated_data()", " - ceph: fix incorrect kmalloc size of pagevec mempool", " - s390/pci: Refactor arch_setup_msi_irqs()", " - s390/pci: Allow allocation of more than 1 MSI interrupt", " - s390/cpum_cf: Fix endless loop in CF_DIAG event stop", " - iommu: sprd: Avoid NULL deref in sprd_iommu_hw_en", " - io_uring: fix io_match_task must_hold", " - nvme-pci: add missing condition check for existence of mapped data", " - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT", " - md/raid0: don't free conf on raid0_run failure", " - md/raid1: don't free conf on raid0_run failure", " - io_uring: Fix probe of disabled operations", " - cgroup/cpuset: Optimize isolated partition only generate_sched_domains()", " calls", " - cgroup/cpuset: Fix remote root partition creation problem", " - x86/syscall: Mark exit[_group] syscall handlers __noreturn", " - perf: arm_pmuv3: Avoid assigning fixed cycle counter with threshold", " - md/raid5: recheck if reshape has finished with device_lock held", " - hwmon: (ltc2991) re-order conditions to fix off by one bug", " - arm64: smp: Fix missing IPI statistics", " - arm64: dts: qcom: sc7280: Remove CTS/RTS configuration", " - ARM: dts: qcom: msm8226-microsoft-common: Enable smbb explicitly", " - OPP: Fix missing cleanup on error in _opp_attach_genpd()", " - arm64: dts: qcom: sc8280xp-*: Remove thermal zone polling delays", " - arm64: dts: ti: k3-am62-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62a-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62p-main: Fix the reg-range for main_pktdma", " - arm64: dts: ti: k3-am62a7: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62p5: Drop McASP AFIFOs", " - arm64: dts: ti: k3-am62p5-sk: Fix pinmux for McASP1 TX", " - arm64: dts: qcom: sc7180-trogdor: Disable pwmleds node where unused", " - arm64: dts: mediatek: mt8192: Fix GPU thermal zone name for SVS", " - arm64: dts: mediatek: mt8183-pico6: Fix wake-on-X event node names", " - arm64: dts: renesas: r9a08g045: Add missing hypervisor virtual timer IRQ", " - cpufreq/amd-pstate-ut: Convert nominal_freq to khz during comparisons", " - wifi: mac80211: cancel multi-link reconf work on disconnect", " - wifi: ath11k: refactor setting country code logic", " - wifi: ath11k: restore country code during resume", " - net: ethernet: cortina: Restore TSO support", " - tcp: fix races in tcp_abort()", " - hns3: avoid linking objects into multiple modules", " - sched/core: Move preempt_model_*() helpers from sched.h to preempt.h", " - sched/core: Drop spinlocks on contention iff kernel is preemptible", " - net: dsa: ksz_common: Allow only up to two HSR HW offloaded ports for", " KSZ9477", " - libbpf: Skip base btf sanity checks", " - wifi: mac80211: add ieee80211_tdls_sta_link_id()", " - wifi: iwlwifi: fix iwl_mvm_get_valid_rx_ant()", " - wifi: ath12k: advertise driver capabilities for MBSSID and EMA", " - riscv, bpf: Fix out-of-bounds issue when preparing trampoline image", " - perf/x86/amd/uncore: Avoid PMU registration if counters are unavailable", " - perf/x86/amd/uncore: Fix DF and UMC domain identification", " - NFSD: Fix nfsdcld warning", " - net: page_pool: fix warning code", " - bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG", " - Bluetooth: hci_event: Set QoS encryption from BIGInfo report", " - Bluetooth: hci_core, hci_sync: cleanup struct discovery_state", " - Bluetooth: Fix usage of __hci_cmd_sync_status", " - tcp: Don't access uninit tcp_rsk(req)->ao_keyid in", " tcp_create_openreq_child().", " - drm/panel: ilitek-ili9882t: If prepare fails, disable GPIO before regulators", " - drm/panel: ilitek-ili9882t: Check for errors on the NOP in prepare()", " - drm/amd/display: Move 'struct scaler_data' off stack", " - media: i2c: hi846: Fix V4L2_SUBDEV_FORMAT_TRY get_selection()", " - drm/msm/dpu: fix encoder irq wait skip", " - drm/msm/dpu: drop duplicate drm formats from wb2_formats arrays", " - drm/msm/dp: fix runtime_pm handling in dp_wait_hpd_asserted", " - perf maps: Switch from rbtree to lazily sorted array for addresses", " - perf maps: Fix use after free in __maps__fixup_overlap_and_insert", " - drm/bridge: samsung-dsim: Set P divider based on min/max of fin pll", " - drm/i915/psr: Print Panel Replay status instead of frame lock status", " - drm/mediatek: Set DRM mode configs accordingly", " - drm/msm/dsi: set video mode widebus enable bit when widebus is enabled", " - tools/perf: Fix the string match for \"/tmp/perf-$PID.map\" files in dso__load", " - drm/amd/display: Add null check before access structs", " - nfs: pass explicit offset/count to trace events", " - PCI: endpoint: pci-epf-test: Make use of cached 'epc_features' in", " pci_epf_test_core_init()", " - PCI: tegra194: Set EP alignment restriction for inbound ATU", " - riscv: smp: fail booting up smp if inconsistent vlen is detected", " - clk: meson: s4: fix fixed_pll_dco clock", " - clk: meson: s4: fix pwm_j_div parent clock", " - usb: typec-mux: ptn36502: unregister typec switch on probe error and remove", " - mtd: spi-nor: winbond: fix w25q128 regression", " - iommufd/selftest: Fix dirty bitmap tests with u8 bitmaps", " - iommufd/selftest: Fix iommufd_test_dirty() to handle ", "date": "Tue, 26 Nov 2024 13:53:36 +0100" } ], "notes": "linux-riscv-headers-6.8.0-51 version '6.8.0-51.52.1' (source package linux-riscv version '6.8.0-51.52.1') was added. linux-riscv-headers-6.8.0-51 version '6.8.0-51.52.1' has the same source package name, linux-riscv, as removed package linux-headers-6.8.0-49-generic. As such we can use the source package version of the removed package, '6.8.0-49.49.1', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.8.0-49-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-49.49.1", "version": "6.8.0-49.49.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-6.8.0-49-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-49.49.1", "version": "6.8.0-49.49.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-6.8.0-49-generic", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-49.49.1", "version": "6.8.0-49.49.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-riscv-headers-6.8.0-49", "from_version": { "source_package_name": "linux-riscv", "source_package_version": "6.8.0-49.49.1", "version": "6.8.0-49.49.1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20241119 to 20250108", "from_series": "noble", "to_series": "noble", "from_serial": "20241119", "to_serial": "20250108", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }