[ubuntu/focal-security] linux 5.4.0-192.212 (Accepted)

Andy Whitcroft apw at canonical.com
Thu Aug 8 14:56:41 UTC 2024


linux (5.4.0-192.212) focal; urgency=medium

  * focal/linux: 5.4.0-192.212 -proposed tracker (LP: #2072305)

  * Focal update: v5.4.278 upstream stable release (LP: #2071668)
    - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
    - speakup: Fix sizeof() vs ARRAY_SIZE() bug
    - ring-buffer: Fix a race between readers and resize checks
    - net: smc91x: Fix m68k kernel compilation for ColdFire CPU
    - nilfs2: fix unexpected freezing of nilfs_segctor_sync()
    - nilfs2: fix potential hang in nilfs_detach_log_writer()
    - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt
      class
    - net: usb: qmi_wwan: add Telit FN920C04 compositions
    - drm/amd/display: Set color_mgmt_changed to true on unsuspend
    - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
    - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
    - ASoC: da7219-aad: fix usage of device_get_named_child_node()
    - drm/amdkfd: Flush the process wq before creating a kfd_process
    - nvme: find numa distance only if controller has valid numa id
    - openpromfs: finish conversion to the new mount API
    - crypto: bcm - Fix pointer arithmetic
    - firmware: raspberrypi: Use correct device for DMA mappings
    - ecryptfs: Fix buffer size for tag 66 packet
    - nilfs2: fix out-of-range warning
    - parisc: add missing export of __cmpxchg_u8()
    - crypto: ccp - drop platform ifdef checks
    - s390/cio: fix tracepoint subchannel type field
    - jffs2: prevent xattr node from overflowing the eraseblock
    - null_blk: Fix missing mutex_destroy() at module removal
    - md: fix resync softlockup when bitmap size is less than array size
    - wifi: ath10k: poll service ready message before failing
    - x86/boot: Ignore relocations in .notes sections in walk_relocs() too
    - qed: avoid truncating work queue length
    - scsi: ufs: qcom: Perform read back after writing reset bit
    - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
    - scsi: ufs: core: Perform read back after disabling interrupts
    - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
    - irqchip/alpine-msi: Fix off-by-one in allocation error path
    - ACPI: disable -Wstringop-truncation
    - cpufreq: Reorganize checks in cpufreq_offline()
    - cpufreq: Split cpufreq_offline()
    - cpufreq: Rearrange locking in cpufreq_remove_dev()
    - cpufreq: exit() callback is optional
    - scsi: libsas: Fix the failure of adding phy with zero-address to port
    - scsi: hpsa: Fix allocation size for Scsi_Host private data
    - x86/purgatory: Switch to the position-independent small code model
    - wifi: ath10k: Fix an error code problem in
      ath10k_dbg_sta_write_peer_debug_trigger()
    - wifi: ath10k: populate board data for WCN3990
    - tcp: minor optimization in tcp_add_backlog()
    - tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
    - tcp: avoid premature drops in tcp_add_backlog()
    - macintosh/via-macii: Fix "BUG: sleeping function called from invalid
      context"
    - wifi: carl9170: add a proper sanity check for endpoints
    - wifi: ar5523: enable proper endpoint verification
    - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
    - Revert "sh: Handle calling csum_partial with misaligned data"
    - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
    - scsi: bfa: Ensure the copied buf is NUL terminated
    - scsi: qedf: Ensure the copied buf is NUL terminated
    - wifi: mwl8k: initialize cmd->addr[] properly
    - usb: aqc111: stop lying about skb->truesize
    - net: usb: sr9700: stop lying about skb->truesize
    - m68k: Fix spinlock race in kernel thread creation
    - m68k: mac: Fix reboot hang on Mac IIci
    - net: ethernet: cortina: Locking fixes
    - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
    - net: usb: smsc95xx: stop lying about skb->truesize
    - net: openvswitch: fix overwriting ct original tuple for ICMPv6
    - ipv6: sr: add missing seg6_local_exit
    - ipv6: sr: fix incorrect unregister order
    - ipv6: sr: fix invalid unregister error path
    - drm/amd/display: Fix potential index out of bounds in color transformation
      function
    - mtd: rawnand: hynix: fixed typo
    - fbdev: shmobile: fix snprintf truncation
    - drm/mediatek: Add 0 size check to mtk_drm_gem_obj
    - powerpc/fsl-soc: hide unused const variable
    - fbdev: sisfb: hide unused variables
    - media: ngene: Add dvb_ca_en50221_init return value check
    - media: radio-shark2: Avoid led_names truncations
    - platform/x86: wmi: Make two functions static
    - fbdev: sh7760fb: allow modular build
    - drm/arm/malidp: fix a possible null pointer dereference
    - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
    - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector
    - RDMA/hns: Use complete parentheses in macros
    - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
    - ext4: avoid excessive credit estimate in ext4_tmpfile()
    - sunrpc: removed redundant procp check
    - SUNRPC: Fix gss_free_in_token_pages()
    - selftests/kcmp: Make the test output consistent and clear
    - selftests/kcmp: remove unused open mode
    - RDMA/IPoIB: Fix format truncation compilation errors
    - netrom: fix possible dead-lock in nr_rt_ioctl()
    - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
    - sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax
    - sched/fair: Allow disabling sched_balance_newidle with
      sched_relax_domain_level
    - greybus: lights: check return of get_channel_from_mode
    - soundwire: cadence/intel: simplify PDI/port mapping
    - soundwire: intel: don't filter out PDI0/1
    - soundwire: cadence_master: improve PDI allocation
    - soundwire: cadence: fix invalid PDI offset
    - dmaengine: idma64: Add check for dma_set_max_seg_size
    - firmware: dmi-id: add a release callback function
    - serial: max3100: Lock port->lock when calling uart_handle_cts_change()
    - serial: max3100: Update uart_driver_registered on driver removal
    - serial: max3100: Fix bitwise types
    - greybus: arche-ctrl: move device table to its right location
    - iio: pressure: dps310: support negative temperature values
    - microblaze: Remove gcc flag for non existing early_printk.c file
    - microblaze: Remove early printk call from cpuinfo-static.c
    - usb: gadget: u_audio: Clear uac pointer when freed.
    - stm class: Fix a double free in stm_register_device()
    - ppdev: Remove usage of the deprecated ida_simple_xx() API
    - ppdev: Add an error check in register_device
    - extcon: max8997: select IRQ_DOMAIN instead of depending on it
    - f2fs: fix to release node block count in error path of f2fs_new_node_page()
    - serial: sh-sci: protect invalidating RXDMA on shutdown
    - libsubcmd: Fix parse-options memory leak
    - Input: ims-pcu - fix printf string overflow
    - Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation
    - drm/msm/dpu: Always flush the slave INTF on the CTL
    - um: Fix return value in ubd_init()
    - um: Add winch to winch_handlers before registering winch IRQ
    - media: stk1160: fix bounds checking in stk1160_copy_video()
    - scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()
    - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp
    - um: Fix the -Wmissing-prototypes warning for __switch_mm
    - media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
    - media: cec: cec-api: add locking in cec_release()
    - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()
    - x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when
      UNWINDER_FRAME_POINTER=y
    - [Config] Update CONFIG_ARCH_WANT_FRAME_POINTERS
    - nfc: nci: Fix uninit-value in nci_rx_work
    - sunrpc: fix NFSACL RPC retry on soft mount
    - ipv6: sr: fix memleak in seg6_hmac_init_algo
    - params: lift param_set_uint_minmax to common code
    - tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
    - openvswitch: Set the skbuff pkt_type for proper pmtud support.
    - arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
    - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
    - net: fec: avoid lock evasion when reading pps_enable
    - nfc: nci: Fix kcov check in nci_rx_work()
    - nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
    - netfilter: nfnetlink_queue: acquire rcu_read_lock() in
      instance_destroy_rcu()
    - spi: Don't mark message DMA mapped when no transfer in it is
    - nvmet: fix ns enable/disable possible hang
    - net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer
      exhaustion
    - dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
    - enic: Validate length of nl attributes in enic_set_vf_port
    - smsc95xx: remove redundant function arguments
    - smsc95xx: use usbnet->driver_priv
    - net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM
    - net:fec: Add fec_enet_deinit()
    - netfilter: tproxy: bail out if IP has been disabled on the device
    - kconfig: fix comparison to constant symbols, 'm', 'n'
    - spi: stm32: Don't warn about spurious interrupts
    - ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound
    - ALSA: timer: Set lower bound of start tick time
    - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline
    - SUNRPC: Fix loop termination condition in gss_free_in_token_pages()
    - binder: fix max_thread type inconsistency
    - mmc: core: Do not force a retune before RPMB switch
    - io_uring: fail NOP if non-zero op flags is passed in
    - afs: Don't cross .backup mountpoint from backup volume
    - nilfs2: fix use-after-free of timer for log writer thread
    - vxlan: Fix regression when dropping packets due to invalid src addresses
    - x86/mm: Remove broken vsyscall emulation code from the page fault code
    - f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()
    - media: lgdt3306a: Add a check against null-pointer-def
    - drm/amdgpu: add error handle to avoid out-of-bounds
    - ata: pata_legacy: make legacy_exit() work again
    - ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx
    - arm64: tegra: Correct Tegra132 I2C alias
    - md/raid5: fix deadlock that raid5d() wait for itself to clear
      MD_SB_CHANGE_PENDING
    - wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU
    - arm64: dts: hi3798cv200: fix the size of GICR
    - media: mc: mark the media devnode as registered from the, start
    - media: mxl5xx: Move xpt structures off stack
    - media: v4l2-core: hold videodev_lock until dev reg, finishes
    - fbdev: savage: Handle err return when savagefb_check_var failed
    - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode
    - crypto: ecrdsa - Fix module auto-load on add_key
    - crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
    - net/ipv6: Fix route deleting failure when metric equals 0
    - net/9p: fix uninit-value in p9_client_rpc()
    - intel_th: pci: Add Meteor Lake-S CPU support
    - sparc64: Fix number of online CPUs
    - kdb: Fix buffer overflow during tab-complete
    - kdb: Use format-strings rather than '\0' injection in kdb_read()
    - kdb: Fix console handling when editing and tab-completing commands
    - kdb: Merge identical case statements in kdb_read()
    - kdb: Use format-specifiers rather than memset() for padding in kdb_read()
    - net: fix __dst_negative_advice() race
    - xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
    - sparc: move struct termio to asm/termios.h
    - ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
    - s390/ap: Fix crash in AP internal function modify_bitmap()
    - nfs: fix undefined behavior in nfs_block_bits()
    - Linux 5.4.278

  * CVE-2024-27019
    - netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
    - netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()

  * CVE-2024-26886
    - Bluetooth: af_bluetooth: Fix deadlock

  * CVE-2023-52752
    - smb: client: fix use-after-free bug in cifs_debug_data_proc_show()

  * CVE-2022-48674
    - erofs: fix pcluster use-after-free on UP platforms

  * Focal update: v5.4.277 upstream stable release (LP: #2070179)
    - pinctrl: core: handle radix_tree_insert() errors in
      pinctrl_register_one_pin()
    - ext4: fix bug_on in __es_tree_search
    - Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems"
    - Revert "net: bcmgenet: use RGMII loopback for MAC reset"
    - net: bcmgenet: keep MAC in reset until PHY is up
    - net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access
    - net: bcmgenet: synchronize use of bcmgenet_set_rx_mode()
    - net: bcmgenet: synchronize UMAC_CMD access
    - smb: client: fix potential OOBs in smb2_parse_contexts()
    - arm64: dts: qcom: Fix 'interrupt-map' parent address cells
    - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()
    - drm/amdgpu: Fix possible NULL dereference in
      amdgpu_ras_query_error_status_helper()
    - usb: typec: ucsi: displayport: Fix potential deadlock
    - serial: kgdboc: Fix NMI-safety problems from keyboard reset code
    - docs: kernel_include.py: Cope with docutils 0.21
    - Linux 5.4.277

  * Focal update: v5.4.276 upstream stable release (LP: #2069758)
    - dmaengine: pl330: issue_pending waits until WFP state
    - dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state"
    - wifi: nl80211: don't free NULL coalescing rule
    - pinctrl: core: delete incorrect free in pinctrl_enable()
    - pinctrl: mediatek: Check gpio pin number and use binary search in
      mtk_hw_pin_field_lookup()
    - pinctrl: mediatek: Supporting driving setting without mapping current to
      register value
    - pinctrl: mediatek: Refine mtk_pinconf_get() and mtk_pinconf_set()
    - pinctrl: mediatek: Refine mtk_pinconf_get()
    - pinctrl: mediatek: Backward compatible to previous Mediatek's bias-pull
      usage
    - pinctrl: mediatek: remove shadow variable declaration
    - pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback
    - pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic
    - pinctrl: mediatek: paris: Rework support for
      PIN_CONFIG_{INPUT,OUTPUT}_ENABLE
    - sunrpc: add a struct rpc_stats arg to rpc_create_args
    - nfs: expose /proc/net/sunrpc/nfs in net namespaces
    - nfs: make the rpc_stat per net namespace
    - nfs: Handle error of rpc_proc_register() in nfs_net_init().
    - power: rt9455: hide unused rt9455_boost_voltage_values
    - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map()
    - s390/mm: Fix storage key clearing for guest huge pages
    - s390/mm: Fix clearing storage keys for huge pages
    - bna: ensure the copied buf is NUL terminated
    - nsh: Restore skb->{protocol,data,mac_header} for outer header in
      nsh_gso_segment().
    - net l2tp: drop flow hash on forward
    - net: qede: use return from qede_parse_flow_attr() for flow_spec
    - net: dsa: mv88e6xxx: Add number of MACs in the ATU
    - net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341
    - net: bridge: fix multicast-to-unicast with fraglist GSO
    - tipc: fix a possible memleak in tipc_buf_append
    - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change
    - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic
    - gfs2: Fix invalid metadata access in punch_hole
    - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc
    - wifi: cfg80211: fix rdev_dump_mpp() arguments order
    - net: mark racy access on sk->sk_rcvbuf
    - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload
    - ALSA: line6: Zero-initialize message buffers
    - net: bcmgenet: Reset RBUF on first open
    - ata: sata_gemini: Check clk_enable() result
    - firewire: ohci: mask bus reset interrupts between ISR and bottom half
    - tools/power turbostat: Fix added raw MSR output
    - tools/power turbostat: Fix Bzy_MHz documentation typo
    - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve
    - btrfs: always clear PERTRANS metadata during commit
    - scsi: target: Fix SELinux error when systemd-modules loads the target module
    - gpu: host1x: Do not setup DMA for virtual devices
    - MIPS: scall: Save thread_info.syscall unconditionally on entry
    - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior
    - fs/9p: only translate RWX permissions for plain 9P2000
    - fs/9p: translate O_TRUNC into OTRUNC
    - 9p: explicitly deny setlease attempts
    - gpio: wcove: Use -ENOTSUPP consistently
    - gpio: crystalcove: Use -ENOTSUPP consistently
    - clk: Don't hold prepare_lock when calling kref_put()
    - fs/9p: drop inodes immediately on non-.L too
    - net:usb:qmi_wwan: support Rolling modules
    - pinctrl: mediatek: Fix fallback call path
    - xfrm: Preserve vlan tags for transport mode software GRO
    - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets
    - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique().
    - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
    - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
    - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
    - phonet: fix rtm_phonet_notify() skb allocation
    - net: bridge: fix corrupted ethernet header on multicast-to-unicast
    - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
    - net: qede: sanitize 'rc' in qede_add_tc_flower_fltr()
    - net: qede: use return from qede_parse_flow_attr() for flower
    - firewire: nosy: ensure user_length is taken into account when fetching
      packet contents
    - usb: gadget: composite: fix OS descriptors w_value logic
    - usb: gadget: f_fs: Fix a race condition when processing setup packets.
    - tipc: fix UAF in error path
    - dyndbg: fix old BUG_ON in >control parser
    - drm/vmwgfx: Fix invalid reads in fence signaled events
    - net: fix out-of-bounds access in ops_init
    - regulator: core: fix debugfs creation regression
    - pinctrl: mediatek: Fix fallback behavior for bias_set_combo
    - pinctrl: mediatek: Fix some off by one bugs
    - pinctrl: mediatek: remove set but not used variable 'e'
    - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback
    - Linux 5.4.276

  * Freezing user space processes failed after 20.008 seconds (1 tasks refusing
    to freeze, wq_busy=0) (LP: #2061091)
    - ALSA: Fix deadlocks with kctl removals at disconnection

  * CVE-2024-36016
    - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

  * CVE-2022-48655
    - firmware: arm_scmi: Harden accesses to the reset domains

  * CVE-2024-26907
    - RDMA/mlx5: Fix fortify source warning while accessing Eth segment

  * CVE-2024-26585
    - tls: fix race between tx work scheduling and socket close

  * CVE-2024-26584
    - net: tls: handle backlogging of crypto requests

  * CVE-2024-26583
    - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU
    - net/tls: Fix use-after-free after the TLS device goes down and up
    - tls: splice_read: fix record type check
    - tls splice: remove inappropriate flags checking for MSG_PEEK
    - tls: splice_read: fix accessing pre-processed records
    - tls: Fix context leak on tls_device_down
    - net/tls: Check for errors in tls_device_init
    - net/tls: Remove the context from the list in tls_device_down
    - net/tls: pass context to tls_device_decrypted()
    - net/tls: Perform immediate device ctx cleanup when possible
    - net/tls: Multi-threaded calls to TX tls_dev_del
    - net: tls: avoid discarding data on record close
    - tls: rx: don't store the record type in socket context
    - tls: rx: don't store the decryption status in socket context
    - tls: rx: don't issue wake ups when data is decrypted
    - tls: rx: refactor decrypt_skb_update()
    - tls: hw: rx: use return value of tls_device_decrypted() to carry status
    - tls: rx: drop unnecessary arguments from tls_setup_from_iter()
    - tls: rx: don't report text length from the bowels of decrypt
    - tls: rx: wrap decryption arguments in a structure
    - tls: rx: factor out writing ContentType to cmsg
    - tls: rx: don't track the async count
    - tls: rx: assume crypto always calls our callback
    - tls: rx: use async as an in-out argument
    - tls: decrement decrypt_pending if no async completion will be called
    - net: tls: fix async vs NIC crypto offload
    - tls: rx: simplify async wait
    - tls: extract context alloc/initialization out of tls_set_sw_offload
    - net: tls: factor out tls_*crypt_async_wait()
    - tls: fix race between async notify and socket close

Date: 2024-07-05 09:44:11.761188+00:00
Changed-By: Stefan Bader <stefan.bader at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux/5.4.0-192.212
-------------- next part --------------
Sorry, changesfile not available.


More information about the Focal-changes mailing list