[ubuntu/focal-security] linux-gke 5.4.0-1105.112 (Accepted)
Andy Whitcroft
apw at canonical.com
Mon Aug 28 10:01:30 UTC 2023
linux-gke (5.4.0-1105.112) focal; urgency=medium
* focal/linux-gke: 5.4.0-1105.112 -proposed tracker (LP: #2026564)
* Packaging resync (LP: #1786013)
- [Packaging] resync update-dkms-versions helper
- [Packaging] resync getabis
[ Ubuntu: 5.4.0-156.173 ]
* focal/linux: 5.4.0-156.173 -proposed tracker (LP: #2026585)
* CVE-2023-3390
- netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE
* Focal update: v5.4.241 upstream stable release (LP: #2023930)
- scsi: ses: Handle enclosure with just a primary component gracefully
- x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot
- cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach()
- treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD()
- smb3: fix problem with null cifs super block with previous patch
- pinctrl: amd: Use irqchip template
- pinctrl: amd: disable and mask interrupts on probe
- pinctrl: amd: Disable and mask interrupts on resume
- pwm: cros-ec: Explicitly set .polarity in .get_state()
- pwm: sprd: Explicitly set .polarity in .get_state()
- wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded
sta
- icmp: guard against too small mtu
- net: don't let netpoll invoke NAPI if in xmit context
- sctp: check send stream number after wait_for_sndbuf
- ipv6: Fix an uninit variable access bug in __ip6_make_skb()
- gpio: davinci: Add irq chip flag to skip set wake
- sunrpc: only free unix grouplist after RCU settles
- NFSD: callback request does not use correct credential for AUTH_SYS
- xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu
- USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs
- usb: typec: altmodes/displayport: Fix configure initial pin assignment
- USB: serial: option: add Telit FE990 compositions
- USB: serial: option: add Quectel RM500U-CN modem
- iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip
- iio: dac: cio-dac: Fix max DAC write value check for 12-bit
- tty: serial: sh-sci: Fix transmit end interrupt handler
- tty: serial: sh-sci: Fix Rx on RZ/G2L SCI
- tty: serial: fsl_lpuart: avoid checking for transfer complete when
UARTCTRL_SBK is asserted in lpuart32_tx_empty
- nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()
- nilfs2: fix sysfs interface lifetime
- ALSA: hda/realtek: Add quirk for Clevo X370SNW
- perf/core: Fix the same task check in perf_event_set_output
- ftrace: Mark get_lock_parent_ip() __always_inline
- can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
- tracing: Free error logs of tracing instances
- net_sched: prevent NULL dereference if default qdisc setup failed
- drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path
- ring-buffer: Fix race while reader and writer are on the same page
- mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()
- irqdomain: Look for existing mapping only once
- irqdomain: Refactor __irq_domain_alloc_irqs()
- irqdomain: Fix mapping-creation race
- Revert "pinctrl: amd: Disable and mask interrupts on resume"
- ALSA: emu10k1: fix capture interrupt handler unlinking
- ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard
- ALSA: i2c/cs8427: fix iec958 mixer control deactivation
- ALSA: firewire-tascam: add missing unwind goto in
snd_tscm_stream_start_duplex()
- ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards
- Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
- Bluetooth: Fix race condition in hidp_session_thread
- btrfs: print checksum type and implementation at mount time
- btrfs: fix fast csum implementation detection
- mtdblock: tolerate corrected bit-flips
- mtd: rawnand: meson: fix bitmask for length in command word
- mtd: rawnand: stm32_fmc2: remove unsupported EDO mode
- niu: Fix missing unwind goto in niu_alloc_channels()
- qlcnic: check pci_reset_function result
- sctp: fix a potential overflow in sctp_ifwdtsn_skip
- RDMA/core: Fix GID entry ref leak when create_ah fails
- udp6: fix potential access to stale information
- net: macb: fix a memory corruption in extended buffer descriptor mode
- power: supply: cros_usbpd: reclassify "default case!" as debug
- i2c: imx-lpi2c: clean rx/tx buffers upon new message
- efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
- drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F
- verify_pefile: relax wrapper length check
- asymmetric_keys: log on fatal failures in PE/pkcs7
- ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
- mtd: ubi: wl: Fix a couple of kernel-doc issues
- ubi: Fix deadlock caused by recursively holding work_sem
- i2c: ocores: generate stop condition after timeout in polling mode
- watchdog: sbsa_wdog: Make sure the timeout programming is within the limits
- coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug
- xfs: show the proper user quota options
- xfs: remove the kuid/kgid conversion wrappers
- xfs: add a new xfs_sb_version_has_v3inode helper
- xfs: only check the superblock version for dinode size calculation
- xfs: simplify di_flags2 inheritance in xfs_ialloc
- xfs: simplify a check in xfs_ioctl_setattr_check_cowextsize
- xfs: remove the di_version field from struct icdinode
- xfs: set inode size after creating symlink
- xfs: report corruption only as a regular error
- xfs: shut down the filesystem if we screw up quota reservation
- xfs: consider shutdown in bmapbt cursor delete assert
- xfs: don't reuse busy extents on extent trim
- xfs: force log and push AIL to clear pinned inodes when aborting mount
- Linux 5.4.241
* [UBUNTU 20.04] [HPS] Kernel panic with "refcount_t: underflow" in mlx5
driver (LP: #2019011)
- net/mlx5: cmdif, Avoid skipping reclaim pages if FW is not accessible
- net/mlx5: Fix handling of entry refcount when command is not issued to FW
* Disable hv-kvp-daemon if /dev/vmbus/hv_kvp is not present (LP: #2024900)
- [Packaging] disable hv-kvp-daemon if needed
* CVE-2023-35001
- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
* CVE-2023-32629
- ovl: adhere to the vfs_ vs. ovl_do_ conventions for xattrs
* CVE-2023-3141
- memstick: r592: Fix UAF bug in r592_remove due to race condition
* CVE-2023-3111
- btrfs: check return value of btrfs_commit_transaction in relocation
- btrfs: unset reloc control if transaction commit fails in
prepare_to_relocate()
* CVE-2023-3090
- ipvlan:Fix out-of-bounds caused by unclear skb->cb
* CVE-2023-1611
- btrfs: fix race between quota disable and quota assign ioctls
* CVE-2022-0168
- cifs: move some variables off the stack in smb2_ioctl_query_info
- cifs: prevent bad output lengths in smb2_ioctl_query_info()
- cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
* CVE-2022-27672
- x86/speculation: Identify processors vulnerable to SMT RSB predictions
- KVM: x86: Mitigate the cross-thread return address predictions bug
- Documentation/hw-vuln: Add documentation for Cross-Thread Return Predictions
* Severe NFS performance degradation after LP #2003053 (LP: #2022098)
- SAUCE: Make NFS file-access stale cache behaviour opt-in
* Encountering an issue with memcpy_fromio causing failed boot of SEV-enabled
guest (LP: #2020319)
- x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO
* Focal update: v5.4.240 upstream stable release (LP: #2023601)
- net: tls: fix possible race condition between do_tls_getsockopt_conf() and
do_tls_setsockopt_conf()
- power: supply: da9150: Fix use after free bug in da9150_charger_remove due
to race condition
- iavf: fix inverted Rx hash condition leading to disabled hash
- iavf: fix non-tunneled IPv6 UDP packet type and hashing
- intel/igbvf: free irq on the error path in igbvf_request_msix()
- igbvf: Regard vf reset nack as success
- i2c: imx-lpi2c: check only for enabled interrupt flags
- scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
- net: usb: smsc95xx: Limit packet length to skb->len
- qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info
- net: qcom/emac: Fix use after free bug in emac_remove due to race condition
- net/ps3_gelic_net: Fix RX sk_buff length
- net/ps3_gelic_net: Use dma_mapping_error
- keys: Do not cache key in task struct if key is requested from kernel thread
- bpf: Adjust insufficient default bpf_jit_limit
- net/mlx5: Read the TC mapping of all priorities on ETS query
- atm: idt77252: fix kmemleak when rmmod idt77252
- erspan: do not use skb_mac_header() in ndo_start_xmit()
- net/sonic: use dma_mapping_error() for error check
- nvme-tcp: fix nvme_tcp_term_pdu to match spec
- hvc/xen: prevent concurrent accesses to the shared ring
- net: mdio: thunder: Add missing fwnode_handle_put()
- Bluetooth: btqcomsmd: Fix command timeout after setting BD address
- platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl
- hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs
- scsi: qla2xxx: Perform lockless command completion in abort path
- uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2
- thunderbolt: Use const qualifier for `ring_interrupt_index`
- riscv: Bump COMMAND_LINE_SIZE value to 1024
- ca8210: fix mac_len negative array access
- m68k: Only force 030 bus error if PC not in exception table
- selftests/bpf: check that modifier resolves after pointer
- scsi: target: iscsi: Fix an error message in iscsi_check_key()
- scsi: ufs: core: Add soft dependency on governor_simpleondemand
- scsi: lpfc: Avoid usage of list iterator variable after loop
- net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990
- net: usb: qmi_wwan: add Telit 0x1080 composition
- sh: sanitize the flags on sigreturn
- cifs: empty interface list when server doesn't support query interfaces
- scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
- usb: gadget: u_audio: don't let userspace block driver unbind
- fsverity: Remove WQ_UNBOUND from fsverity read workqueue
- igb: revert rtnl_lock() that causes deadlock
- dm thin: fix deadlock when swapping to thin device
- usb: cdns3: Fix issue with using incorrect PCI device function
- usb: chipdea: core: fix return -EINVAL if request role is the same with
current role
- usb: chipidea: core: fix possible concurrent when switch role
- wifi: mac80211: fix qos on mesh interfaces
- nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy()
- i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
- dm stats: check for and propagate alloc_percpu failure
- dm crypt: add cond_resched() to dmcrypt_write()
- sched/fair: sanitize vruntime of entity being placed
- sched/fair: Sanitize vruntime of entity being migrated
- tun: avoid double free in tun_free_netdev
- ocfs2: fix data corruption after failed write
- fsverity: don't drop pagecache at end of FS_IOC_ENABLE_VERITY
- bus: imx-weim: fix branch condition evaluates to a garbage value
- md: avoid signed overflow in slot_store()
- ALSA: asihpi: check pao in control_message()
- ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set()
- fbdev: tgafb: Fix potential divide by zero
- sched_getaffinity: don't assume 'cpumask_size()' is fully initialized
- fbdev: nvidia: Fix potential divide by zero
- fbdev: intelfb: Fix potential divide by zero
- fbdev: lxfb: Fix potential divide by zero
- fbdev: au1200fb: Fix potential divide by zero
- ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx()
- dma-mapping: drop the dev argument to arch_sync_dma_for_*
- mips: bmips: BCM6358: disable RAC flush for TP1
- mtd: rawnand: meson: invalidate cache on polling ECC bit
- scsi: megaraid_sas: Fix crash after a double completion
- ptp_qoriq: fix memory leak in probe()
- regulator: fix spelling mistake "Cant" -> "Can't"
- regulator: Handle deferred clk
- net/net_failover: fix txq exceeding warning
- can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
- s390/vfio-ap: fix memory leak in vfio_ap device driver
- i40e: fix registers dump after run ethtool adapter self test
- bnxt_en: Fix typo in PCI id to device description string mapping
- net: dsa: mv88e6xxx: Enable IGMP snooping on user ports only
- net: mvneta: make tx buffer array agnostic
- pinctrl: ocelot: Fix alt mode for ocelot
- Input: alps - fix compatibility with -funsigned-char
- Input: focaltech - use explicitly signed char type
- cifs: prevent infinite recursion in CIFSGetDFSRefer()
- cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL
- Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table
- xen/netback: don't do grant copy across page boundary
- pinctrl: at91-pio4: fix domain name assignment
- NFSv4: Fix hangs when recovering open state after a server reboot
- ALSA: hda/conexant: Partial revert of a quirk for Lenovo
- ALSA: usb-audio: Fix regression on detection of Roland VS-100
- drm/etnaviv: fix reference leak when mmaping imported buffer
- btrfs: scan device in non-exclusive mode
- ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
- net_sched: add __rcu annotation to netdev->qdisc
- net: sched: fix race condition in qdisc_graft()
- firmware: arm_scmi: Fix device node validation for mailbox transport
- gfs2: Always check inode size of inline inodes
- Linux 5.4.240
* Focal update: v5.4.239 upstream stable release (LP: #2023600)
- Linux 5.4.239
* CVE-2023-2124
- xfs: verify buffer contents when we skip log replay
* CVE-2020-36691
- netlink: limit recursion depth in policy validation
* CVE-2022-1184
- ext4: check if directory block is within i_size
- ext4: fix check for block being out of directory size
* CVE-2022-4269
- net: sched: extract qstats update code into functions
- net: sched: don't expose action qstats to skb_tc_reinsert()
- net/sched: act_mirred: refactor the handle of xmit
- net: sched: remove unused tcf_result extension
- net/sched: act_mirred: better wording on protection against excessive stack
growth
- act_mirred: use the backlog for nested calls to mirred ingress
* Focal update: v5.4.238 upstream stable release (LP: #2023427)
- ext4: fix cgroup writeback accounting with fs-layer encryption
- xfrm: Allow transport-mode states with AF_UNSPEC selector
- drm/panfrost: Don't sync rpm suspension after mmu flushing
- cifs: Move the in_send statistic to __smb_send_rqst()
- drm/meson: fix 1px pink line on GXM when scaling video overlay
- clk: HI655X: select REGMAP instead of depending on it
- docs: Correct missing "d_" prefix for dentry_operations member
d_weak_revalidate
- scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add()
- ALSA: hda - add Intel DG1 PCI and HDMI ids
- ALSA: hda - controller is in GPU on the DG1
- ALSA: hda: Add Alderlake-S PCI ID and HDMI codec vid
- ALSA: hda: Add Intel DG2 PCI ID and HDMI codec vid
- ALSA: hda: Match only Intel devices with CONTROLLER_IN_GPU()
- netfilter: nft_redir: correct value of inet type `.maxattrs`
- scsi: core: Fix a comment in function scsi_host_dev_release()
- scsi: core: Fix a procfs host directory removal regression
- tcp: tcp_make_synack() can be called from process context
- nfc: pn533: initialize struct pn533_out_arg properly
- ipvlan: Make skb->skb_iif track skb->dev for l3s mode
- i40e: Fix kernel crash during reboot when adapter is in recovery mode
- qed/qed_dev: guard against a possible division by zero
- net: tunnels: annotate lockless accesses to dev->needed_headroom
- net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails
- nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
- net: usb: smsc75xx: Limit packet length to skb->len
- nvmet: avoid potential UAF in nvmet_req_complete()
- block: sunvdc: add check for mdesc_grab() returning NULL
- ipv4: Fix incorrect table ID in IOCTL path
- net: usb: smsc75xx: Move packet length check to prevent kernel panic in
skb_pull
- net/iucv: Fix size of interrupt data
- ethernet: sun: add check for the mdesc_grab()
- hwmon: (adt7475) Display smoothing attributes in correct order
- hwmon: (adt7475) Fix masking of hysteresis registers
- hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race
condition
- hwmon: (ina3221) return prober error code
- media: m5mols: fix off-by-one loop termination error
- mmc: atmel-mci: fix race between stop command and start of next command
- jffs2: correct logic when creating a hole in jffs2_write_begin
- ext4: fail ext4_iget if special inode unallocated
- ext4: fix task hung in ext4_xattr_delete_inode
- drm/amdkfd: Fix an illegal memory access
- sh: intc: Avoid spurious sizeof-pointer-div warning
- ext4: fix possible double unlock when moving a directory
- tty: serial: fsl_lpuart: skip waiting for transmission complete when
UARTCTRL_SBK is asserted
- interconnect: fix mem leak when freeing nodes
- tracing: Check field value in hist_field_name()
- tracing: Make tracepoint lockdep check actually test something
- ftrace: Fix invalid address access in lookup_rec() when index is 0
- fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks
- x86/mm: Fix use of uninitialized buffer in sme_enable()
- drm/i915: Don't use stolen memory for ring buffers with LLC
- serial: 8250_em: Fix UART port type
- s390/ipl: add missing intersection check to ipl_report handling
- PCI: Unify delay handling for reset and resume
- HID: core: Provide new max_buffer_size attribute to over-ride the default
- HID: uhid: Over-ride the default maximum data buffer value with our own
- Linux 5.4.238
* Focal update: v5.4.237 upstream stable release (LP: #2023420)
- fs: prevent out-of-bounds array speculation when closing a file descriptor
- x86/CPU/AMD: Disable XSAVES on AMD family 0x17
- drm/connector: print max_requested_bpc in state debugfs
- ext4: fix RENAME_WHITEOUT handling for inline directories
- ext4: fix another off-by-one fsmap error on 1k block filesystems
- ext4: move where set the MAY_INLINE_DATA flag is set
- ext4: fix WARNING in ext4_update_inline_data
- ext4: zero i_disksize when initializing the bootloader inode
- nfc: change order inside nfc_se_io error path
- iommu/amd: Add PCI segment support for ivrs_[ioapic/hpet/acpihid] commands
- iommu/amd: Fix ill-formed ivrs_ioapic, ivrs_hpet and ivrs_acpihid options
- iommu/amd: Add a length limitation for the ivrs_acpihid command-line
parameter
- ipmi:ssif: make ssif_i2c_send() void
- ipmi:ssif: resend_msg() cannot fail
- ipmi:ssif: Remove rtc_us_timer
- ipmi:ssif: Increase the message retry time
- ipmi:ssif: Add a timer between request retries
- irqdomain: Change the type of 'size' in __irq_domain_add() to be consistent
- irqdomain: Fix domain registration race
- iommu/vt-d: Fix PASID directory pointer coherency
- SMB3: Backup intent flag missing from some more ops
- cifs: Fix uninitialized memory read in smb3_qfs_tcon()
- scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
- ext4: Fix possible corruption when moving a directory
- drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register
- nfc: fdp: add null check of devm_kmalloc_array in
fdp_nci_i2c_read_device_properties
- ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping()
- selftests: nft_nat: ensuring the listening side is up before starting the
client
- net: usb: lan78xx: Remove lots of set but unused 'ret' variables
- net: lan78xx: fix accessing the LAN7800's internal phy specific registers
from the MAC driver
- net: caif: Fix use-after-free in cfusbl_device_notify()
- bnxt_en: Avoid order-5 memory allocation for TPA data
- netfilter: tproxy: fix deadlock due to missing BH disable
- btf: fix resolving BTF_KIND_VAR after ARRAY, STRUCT, UNION, PTR
- scsi: megaraid_sas: Update max supported LD IDs to 240
- net/smc: fix fallback failed while sendmsg with fastopen
- riscv: Use READ_ONCE_NOCHECK in imprecise unwinding stack mode
- ext4: Fix deadlock during directory rename
- MIPS: Fix a compilation issue
- alpha: fix R_ALPHA_LITERAL reloc for large modules
- macintosh: windfarm: Use unsigned type for 1-bit bitfields
- PCI: Add SolidRun vendor ID
- media: ov5640: Fix analogue gain control
- ipmi/watchdog: replace atomic_add() and atomic_sub()
- ipmi:watchdog: Set panic count to proper value on a panic
- drm/i915: Don't use BAR mappings for ring buffers with LLC
- x86, vmlinux.lds: Add RUNTIME_DISCARD_EXIT to generic DISCARDS
- arch: fix broken BuildID for arm64 and riscv
- powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT
- powerpc/vmlinux.lds: Don't discard .rela* for relocatable builds
- s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36
- sh: define RUNTIME_DISCARD_EXIT
- UML: define RUNTIME_DISCARD_EXIT
- s390/dasd: add missing discipline function
- Linux 5.4.237
* Focal update: v5.4.236 upstream stable release (LP: #2020390)
- staging: rtl8192e: Remove function ..dm_check_ac_dc_power calling a script
- staging: rtl8192e: Remove call_usermodehelper starting RadioPower.sh
- Linux 5.4.236
* Packaging resync (LP: #1786013)
- [Packaging] resync update-dkms-versions helper
Date: 2023-07-26 07:43:08.502656+00:00
Changed-By: Khaled El Mously <khalid.elmously at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux-gke/5.4.0-1105.112
-------------- next part --------------
Sorry, changesfile not available.
More information about the Focal-changes
mailing list