[ubuntu/focal-security] linux-gke 5.4.0-1105.112 (Accepted)

Andy Whitcroft apw at canonical.com
Mon Aug 28 10:01:30 UTC 2023


linux-gke (5.4.0-1105.112) focal; urgency=medium

  * focal/linux-gke: 5.4.0-1105.112 -proposed tracker (LP: #2026564)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync update-dkms-versions helper
    - [Packaging] resync getabis

  [ Ubuntu: 5.4.0-156.173 ]

  * focal/linux: 5.4.0-156.173 -proposed tracker (LP: #2026585)
  * CVE-2023-3390
    - netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE
  * Focal update: v5.4.241 upstream stable release (LP: #2023930)
    - scsi: ses: Handle enclosure with just a primary component gracefully
    - x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot
    - cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach()
    - treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
    - smb3: fix problem with null cifs super block with previous patch
    - pinctrl: amd: Use irqchip template
    - pinctrl: amd: disable and mask interrupts on probe
    - pinctrl: amd: Disable and mask interrupts on resume
    - pwm: cros-ec: Explicitly set .polarity in .get_state()
    - pwm: sprd: Explicitly set .polarity in .get_state()
    - wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded
      sta
    - icmp: guard against too small mtu
    - net: don't let netpoll invoke NAPI if in xmit context
    - sctp: check send stream number after wait_for_sndbuf
    - ipv6: Fix an uninit variable access bug in __ip6_make_skb()
    - gpio: davinci: Add irq chip flag to skip set wake
    - sunrpc: only free unix grouplist after RCU settles
    - NFSD: callback request does not use correct credential for AUTH_SYS
    - xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu
    - USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs
    - usb: typec: altmodes/displayport: Fix configure initial pin assignment
    - USB: serial: option: add Telit FE990 compositions
    - USB: serial: option: add Quectel RM500U-CN modem
    - iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip
    - iio: dac: cio-dac: Fix max DAC write value check for 12-bit
    - tty: serial: sh-sci: Fix transmit end interrupt handler
    - tty: serial: sh-sci: Fix Rx on RZ/G2L SCI
    - tty: serial: fsl_lpuart: avoid checking for transfer complete when
      UARTCTRL_SBK is asserted in lpuart32_tx_empty
    - nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()
    - nilfs2: fix sysfs interface lifetime
    - ALSA: hda/realtek: Add quirk for Clevo X370SNW
    - perf/core: Fix the same task check in perf_event_set_output
    - ftrace: Mark get_lock_parent_ip() __always_inline
    - can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
    - tracing: Free error logs of tracing instances
    - net_sched: prevent NULL dereference if default qdisc setup failed
    - drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path
    - ring-buffer: Fix race while reader and writer are on the same page
    - mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()
    - irqdomain: Look for existing mapping only once
    - irqdomain: Refactor __irq_domain_alloc_irqs()
    - irqdomain: Fix mapping-creation race
    - Revert "pinctrl: amd: Disable and mask interrupts on resume"
    - ALSA: emu10k1: fix capture interrupt handler unlinking
    - ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard
    - ALSA: i2c/cs8427: fix iec958 mixer control deactivation
    - ALSA: firewire-tascam: add missing unwind goto in
      snd_tscm_stream_start_duplex()
    - ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards
    - Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
    - Bluetooth: Fix race condition in hidp_session_thread
    - btrfs: print checksum type and implementation at mount time
    - btrfs: fix fast csum implementation detection
    - mtdblock: tolerate corrected bit-flips
    - mtd: rawnand: meson: fix bitmask for length in command word
    - mtd: rawnand: stm32_fmc2: remove unsupported EDO mode
    - niu: Fix missing unwind goto in niu_alloc_channels()
    - qlcnic: check pci_reset_function result
    - sctp: fix a potential overflow in sctp_ifwdtsn_skip
    - RDMA/core: Fix GID entry ref leak when create_ah fails
    - udp6: fix potential access to stale information
    - net: macb: fix a memory corruption in extended buffer descriptor mode
    - power: supply: cros_usbpd: reclassify "default case!" as debug
    - i2c: imx-lpi2c: clean rx/tx buffers upon new message
    - efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
    - drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F
    - verify_pefile: relax wrapper length check
    - asymmetric_keys: log on fatal failures in PE/pkcs7
    - ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
    - mtd: ubi: wl: Fix a couple of kernel-doc issues
    - ubi: Fix deadlock caused by recursively holding work_sem
    - i2c: ocores: generate stop condition after timeout in polling mode
    - watchdog: sbsa_wdog: Make sure the timeout programming is within the limits
    - coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug
    - xfs: show the proper user quota options
    - xfs: remove the kuid/kgid conversion wrappers
    - xfs: add a new xfs_sb_version_has_v3inode helper
    - xfs: only check the superblock version for dinode size calculation
    - xfs: simplify di_flags2 inheritance in xfs_ialloc
    - xfs: simplify a check in xfs_ioctl_setattr_check_cowextsize
    - xfs: remove the di_version field from struct icdinode
    - xfs: set inode size after creating symlink
    - xfs: report corruption only as a regular error
    - xfs: shut down the filesystem if we screw up quota reservation
    - xfs: consider shutdown in bmapbt cursor delete assert
    - xfs: don't reuse busy extents on extent trim
    - xfs: force log and push AIL to clear pinned inodes when aborting mount
    - Linux 5.4.241
  * [UBUNTU 20.04] [HPS] Kernel panic with "refcount_t: underflow" in mlx5
    driver (LP: #2019011)
    - net/mlx5: cmdif, Avoid skipping reclaim pages if FW is not accessible
    - net/mlx5: Fix handling of entry refcount when command is not issued to FW
  * Disable hv-kvp-daemon if /dev/vmbus/hv_kvp is not present (LP: #2024900)
    - [Packaging] disable hv-kvp-daemon if needed
  * CVE-2023-35001
    - netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
  * CVE-2023-32629
    - ovl: adhere to the vfs_ vs. ovl_do_ conventions for xattrs
  * CVE-2023-3141
    - memstick: r592: Fix UAF bug in r592_remove due to race condition
  * CVE-2023-3111
    - btrfs: check return value of btrfs_commit_transaction in relocation
    - btrfs: unset reloc control if transaction commit fails in
      prepare_to_relocate()
  * CVE-2023-3090
    - ipvlan:Fix out-of-bounds caused by unclear skb->cb
  * CVE-2023-1611
    - btrfs: fix race between quota disable and quota assign ioctls
  * CVE-2022-0168
    - cifs: move some variables off the stack in smb2_ioctl_query_info
    - cifs: prevent bad output lengths in smb2_ioctl_query_info()
    - cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
  * CVE-2022-27672
    - x86/speculation: Identify processors vulnerable to SMT RSB predictions
    - KVM: x86: Mitigate the cross-thread return address predictions bug
    - Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions
  * Severe NFS performance degradation after LP #2003053 (LP: #2022098)
    - SAUCE: Make NFS file-access stale cache behaviour opt-in
  * Encountering an issue with memcpy_fromio causing failed boot of SEV-enabled
    guest (LP: #2020319)
    - x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO
  * Focal update: v5.4.240 upstream stable release (LP: #2023601)
    - net: tls: fix possible race condition between do_tls_getsockopt_conf() and
      do_tls_setsockopt_conf()
    - power: supply: da9150: Fix use after free bug in da9150_charger_remove due
      to race condition
    - iavf: fix inverted Rx hash condition leading to disabled hash
    - iavf: fix non-tunneled IPv6 UDP packet type and hashing
    - intel/igbvf: free irq on the error path in igbvf_request_msix()
    - igbvf: Regard vf reset nack as success
    - i2c: imx-lpi2c: check only for enabled interrupt flags
    - scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
    - net: usb: smsc95xx: Limit packet length to skb->len
    - qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info
    - net: qcom/emac: Fix use after free bug in emac_remove due to race condition
    - net/ps3_gelic_net: Fix RX sk_buff length
    - net/ps3_gelic_net: Use dma_mapping_error
    - keys: Do not cache key in task struct if key is requested from kernel thread
    - bpf: Adjust insufficient default bpf_jit_limit
    - net/mlx5: Read the TC mapping of all priorities on ETS query
    - atm: idt77252: fix kmemleak when rmmod idt77252
    - erspan: do not use skb_mac_header() in ndo_start_xmit()
    - net/sonic: use dma_mapping_error() for error check
    - nvme-tcp: fix nvme_tcp_term_pdu to match spec
    - hvc/xen: prevent concurrent accesses to the shared ring
    - net: mdio: thunder: Add missing fwnode_handle_put()
    - Bluetooth: btqcomsmd: Fix command timeout after setting BD address
    - platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl
    - hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs
    - scsi: qla2xxx: Perform lockless command completion in abort path
    - uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2
    - thunderbolt: Use const qualifier for `ring_interrupt_index`
    - riscv: Bump COMMAND_LINE_SIZE value to 1024
    - ca8210: fix mac_len negative array access
    - m68k: Only force 030 bus error if PC not in exception table
    - selftests/bpf: check that modifier resolves after pointer
    - scsi: target: iscsi: Fix an error message in iscsi_check_key()
    - scsi: ufs: core: Add soft dependency on governor_simpleondemand
    - scsi: lpfc: Avoid usage of list iterator variable after loop
    - net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990
    - net: usb: qmi_wwan: add Telit 0x1080 composition
    - sh: sanitize the flags on sigreturn
    - cifs: empty interface list when server doesn't support query interfaces
    - scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
    - usb: gadget: u_audio: don't let userspace block driver unbind
    - fsverity: Remove WQ_UNBOUND from fsverity read workqueue
    - igb: revert rtnl_lock() that causes deadlock
    - dm thin: fix deadlock when swapping to thin device
    - usb: cdns3: Fix issue with using incorrect PCI device function
    - usb: chipdea: core: fix return -EINVAL if request role is the same with
      current role
    - usb: chipidea: core: fix possible concurrent when switch role
    - wifi: mac80211: fix qos on mesh interfaces
    - nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
    - i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
    - dm stats: check for and propagate alloc_percpu failure
    - dm crypt: add cond_resched() to dmcrypt_write()
    - sched/fair: sanitize vruntime of entity being placed
    - sched/fair: Sanitize vruntime of entity being migrated
    - tun: avoid double free in tun_free_netdev
    - ocfs2: fix data corruption after failed write
    - fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY
    - bus: imx-weim: fix branch condition evaluates to a garbage value
    - md: avoid signed overflow in slot_store()
    - ALSA: asihpi: check pao in control_message()
    - ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
    - fbdev: tgafb: Fix potential divide by zero
    - sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
    - fbdev: nvidia: Fix potential divide by zero
    - fbdev: intelfb: Fix potential divide by zero
    - fbdev: lxfb: Fix potential divide by zero
    - fbdev: au1200fb: Fix potential divide by zero
    - ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx()
    - dma-mapping: drop the dev argument to arch_sync_dma_for_*
    - mips: bmips: BCM6358: disable RAC flush for TP1
    - mtd: rawnand: meson: invalidate cache on polling ECC bit
    - scsi: megaraid_sas: Fix crash after a double completion
    - ptp_qoriq: fix memory leak in probe()
    - regulator: fix spelling mistake "Cant" -> "Can't"
    - regulator: Handle deferred clk
    - net/net_failover: fix txq exceeding warning
    - can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
    - s390/vfio-ap: fix memory leak in vfio_ap device driver
    - i40e: fix registers dump after run ethtool adapter self test
    - bnxt_en: Fix typo in PCI id to device description string mapping
    - net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only
    - net: mvneta: make tx buffer array agnostic
    - pinctrl: ocelot: Fix alt mode for ocelot
    - Input: alps - fix compatibility with -funsigned-char
    - Input: focaltech - use explicitly signed char type
    - cifs: prevent infinite recursion in CIFSGetDFSRefer()
    - cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
    - Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table
    - xen/netback: don't do grant copy across page boundary
    - pinctrl: at91-pio4: fix domain name assignment
    - NFSv4: Fix hangs when recovering open state after a server reboot
    - ALSA: hda/conexant: Partial revert of a quirk for Lenovo
    - ALSA: usb-audio: Fix regression on detection of Roland VS-100
    - drm/etnaviv: fix reference leak when mmaping imported buffer
    - btrfs: scan device in non-exclusive mode
    - ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
    - net_sched: add __rcu annotation to netdev->qdisc
    - net: sched: fix race condition in qdisc_graft()
    - firmware: arm_scmi: Fix device node validation for mailbox transport
    - gfs2: Always check inode size of inline inodes
    - Linux 5.4.240
  * Focal update: v5.4.239 upstream stable release (LP: #2023600)
    - Linux 5.4.239
  * CVE-2023-2124
    - xfs: verify buffer contents when we skip log replay
  * CVE-2020-36691
    - netlink: limit recursion depth in policy validation
  * CVE-2022-1184
    - ext4: check if directory block is within i_size
    - ext4: fix check for block being out of directory size
  * CVE-2022-4269
    - net: sched: extract qstats update code into functions
    - net: sched: don't expose action qstats to skb_tc_reinsert()
    - net/sched: act_mirred: refactor the handle of xmit
    - net: sched: remove unused tcf_result extension
    - net/sched: act_mirred: better wording on protection against excessive stack
      growth
    - act_mirred: use the backlog for nested calls to mirred ingress
  * Focal update: v5.4.238 upstream stable release (LP: #2023427)
    - ext4: fix cgroup writeback accounting with fs-layer encryption
    - xfrm: Allow transport-mode states with AF_UNSPEC selector
    - drm/panfrost: Don't sync rpm suspension after mmu flushing
    - cifs: Move the in_send statistic to __smb_send_rqst()
    - drm/meson: fix 1px pink line on GXM when scaling video overlay
    - clk: HI655X: select REGMAP instead of depending on it
    - docs: Correct missing "d_" prefix for dentry_operations member
      d_weak_revalidate
    - scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add()
    - ALSA: hda - add Intel DG1 PCI and HDMI ids
    - ALSA: hda - controller is in GPU on the DG1
    - ALSA: hda: Add Alderlake-S PCI ID and HDMI codec vid
    - ALSA: hda: Add Intel DG2 PCI ID and HDMI codec vid
    - ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()
    - netfilter: nft_redir: correct value of inet type `.maxattrs`
    - scsi: core: Fix a comment in function scsi_host_dev_release()
    - scsi: core: Fix a procfs host directory removal regression
    - tcp: tcp_make_synack() can be called from process context
    - nfc: pn533: initialize struct pn533_out_arg properly
    - ipvlan: Make skb->skb_iif track skb->dev for l3s mode
    - i40e: Fix kernel crash during reboot when adapter is in recovery mode
    - qed/qed_dev: guard against a possible division by zero
    - net: tunnels: annotate lockless accesses to dev->needed_headroom
    - net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails
    - nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
    - net: usb: smsc75xx: Limit packet length to skb->len
    - nvmet: avoid potential UAF in nvmet_req_complete()
    - block: sunvdc: add check for mdesc_grab() returning NULL
    - ipv4: Fix incorrect table ID in IOCTL path
    - net: usb: smsc75xx: Move packet length check to prevent kernel panic in
      skb_pull
    - net/iucv: Fix size of interrupt data
    - ethernet: sun: add check for the mdesc_grab()
    - hwmon: (adt7475) Display smoothing attributes in correct order
    - hwmon: (adt7475) Fix masking of hysteresis registers
    - hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race
      condition
    - hwmon: (ina3221) return prober error code
    - media: m5mols: fix off-by-one loop termination error
    - mmc: atmel-mci: fix race between stop command and start of next command
    - jffs2: correct logic when creating a hole in jffs2_write_begin
    - ext4: fail ext4_iget if special inode unallocated
    - ext4: fix task hung in ext4_xattr_delete_inode
    - drm/amdkfd: Fix an illegal memory access
    - sh: intc: Avoid spurious sizeof-pointer-div warning
    - ext4: fix possible double unlock when moving a directory
    - tty: serial: fsl_lpuart: skip waiting for transmission complete when
      UARTCTRL_SBK is asserted
    - interconnect: fix mem leak when freeing nodes
    - tracing: Check field value in hist_field_name()
    - tracing: Make tracepoint lockdep check actually test something
    - ftrace: Fix invalid address access in lookup_rec() when index is 0
    - fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks
    - x86/mm: Fix use of uninitialized buffer in sme_enable()
    - drm/i915: Don't use stolen memory for ring buffers with LLC
    - serial: 8250_em: Fix UART port type
    - s390/ipl: add missing intersection check to ipl_report handling
    - PCI: Unify delay handling for reset and resume
    - HID: core: Provide new max_buffer_size attribute to over-ride the default
    - HID: uhid: Over-ride the default maximum data buffer value with our own
    - Linux 5.4.238
  * Focal update: v5.4.237 upstream stable release (LP: #2023420)
    - fs: prevent out-of-bounds array speculation when closing a file descriptor
    - x86/CPU/AMD: Disable XSAVES on AMD family 0x17
    - drm/connector: print max_requested_bpc in state debugfs
    - ext4: fix RENAME_WHITEOUT handling for inline directories
    - ext4: fix another off-by-one fsmap error on 1k block filesystems
    - ext4: move where set the MAY_INLINE_DATA flag is set
    - ext4: fix WARNING in ext4_update_inline_data
    - ext4: zero i_disksize when initializing the bootloader inode
    - nfc: change order inside nfc_se_io error path
    - iommu/amd: Add PCI segment support for ivrs_[ioapic/hpet/acpihid] commands
    - iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options
    - iommu/amd: Add a length limitation for the ivrs_acpihid command-line
      parameter
    - ipmi:ssif: make ssif_i2c_send() void
    - ipmi:ssif: resend_msg() cannot fail
    - ipmi:ssif: Remove rtc_us_timer
    - ipmi:ssif: Increase the message retry time
    - ipmi:ssif: Add a timer between request retries
    - irqdomain: Change the type of 'size' in __irq_domain_add() to be consistent
    - irqdomain: Fix domain registration race
    - iommu/vt-d: Fix PASID directory pointer coherency
    - SMB3: Backup intent flag missing from some more ops
    - cifs: Fix uninitialized memory read in smb3_qfs_tcon()
    - scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
    - ext4: Fix possible corruption when moving a directory
    - drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register
    - nfc: fdp: add null check of devm_kmalloc_array in
      fdp_nci_i2c_read_device_properties
    - ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping()
    - selftests: nft_nat: ensuring the listening side is up before starting the
      client
    - net: usb: lan78xx: Remove lots of set but unused 'ret' variables
    - net: lan78xx: fix accessing the LAN7800's internal phy specific registers
      from the MAC driver
    - net: caif: Fix use-after-free in cfusbl_device_notify()
    - bnxt_en: Avoid order-5 memory allocation for TPA data
    - netfilter: tproxy: fix deadlock due to missing BH disable
    - btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR
    - scsi: megaraid_sas: Update max supported LD IDs to 240
    - net/smc: fix fallback failed while sendmsg with fastopen
    - riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode
    - ext4: Fix deadlock during directory rename
    - MIPS: Fix a compilation issue
    - alpha: fix R_ALPHA_LITERAL reloc for large modules
    - macintosh: windfarm: Use unsigned type for 1-bit bitfields
    - PCI: Add SolidRun vendor ID
    - media: ov5640: Fix analogue gain control
    - ipmi/watchdog: replace atomic_add() and atomic_sub()
    - ipmi:watchdog: Set panic count to proper value on a panic
    - drm/i915: Don't use BAR mappings for ring buffers with LLC
    - x86, vmlinux.lds: Add RUNTIME_DISCARD_EXIT to generic DISCARDS
    - arch: fix broken BuildID for arm64 and riscv
    - powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT
    - powerpc/vmlinux.lds: Don't discard .rela* for relocatable builds
    - s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36
    - sh: define RUNTIME_DISCARD_EXIT
    - UML: define RUNTIME_DISCARD_EXIT
    - s390/dasd: add missing discipline function
    - Linux 5.4.237
  * Focal update: v5.4.236 upstream stable release (LP: #2020390)
    - staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling a script
    - staging: rtl8192e: Remove call_usermodehelper starting RadioPower.sh
    - Linux 5.4.236
  * Packaging resync (LP: #1786013)
    - [Packaging] resync update-dkms-versions helper

Date: 2023-07-26 07:43:08.502656+00:00
Changed-By: Khaled El Mously <khalid.elmously at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1105.112
-------------- next part --------------
Sorry, changesfile not available.


More information about the Focal-changes mailing list