[ubuntu/lunar-security] linux 6.2.0-34.34 (Accepted)

Andy Whitcroft apw at canonical.com
Wed Oct 4 08:10:59 UTC 2023


linux (6.2.0-34.34) lunar; urgency=medium

  * lunar/linux: 6.2.0-34.34 -proposed tracker (LP: #2033779)

  * CVE-2023-20569
    - x86/cpu, kvm: Add support for CPUID_80000021_EAX
    - tools headers x86 cpufeatures: Sync with the kernel sources
    - x86/alternative: Optimize returns patching
    - x86/retbleed: Add __x86_return_thunk alignment checks
    - x86/srso: Add a Speculative RAS Overflow mitigation
    - x86/srso: Add IBPB_BRTYPE support
    - x86/srso: Add SRSO_NO support
    - x86/srso: Add IBPB
    - x86/srso: Add IBPB on VMEXIT
    - x86/srso: Fix return thunks in generated code
    - x86/srso: Add a forgotten NOENDBR annotation
    - x86/srso: Tie SBPB bit setting to microcode patch detection
    - Documentation/hw-vuln: Unify filename specification in index
    - Documentation/srso: Document IBPB aspect and fix formatting
    - x86/srso: Fix build breakage with the LLVM linker
    - x86: Move gds_ucode_mitigated() declaration to header
    - x86/retpoline: Don't clobber RFLAGS during srso_safe_ret()
    - x86/srso: Disable the mitigation on unaffected configurations
    - x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG
    - x86/retpoline,kprobes: Skip optprobe check for indirect jumps with
      retpolines and IBT
    - x86/cpu: Fix __x86_return_thunk symbol type
    - x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
    - objtool/x86: Fix SRSO mess
    - x86/alternative: Make custom return thunk unconditional
    - x86/cpu: Clean up SRSO return thunk mess
    - x86/cpu: Rename original retbleed methods
    - x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
    - x86/cpu: Cleanup the untrain mess
    - x86/srso: Explain the untraining sequences a bit more
    - objtool/x86: Fixup frame-pointer vs rethunk
    - x86/static_call: Fix __static_call_fixup()
    - x86/srso: Correct the mitigation status when SMT is disabled
    - Ubuntu: [Config]: enable Speculative Return Stack Overflow mitigation

  * Please enable Renesas RZ platform serial installer (LP: #2022361)
    - [Config] enable hihope RZ/G2M serial console
    - [Config] Mark sh-sci as built-in

  * dGPU cannot resume because system firmware stuck in IPCS method
    (LP: #2021572)
    - drm/i915/tc: Abort DP AUX transfer on a disconnected TC port
    - drm/i915/tc: switch to intel_de_* register accessors in display code
    - drm/i915: Enable a PIPEDMC whenever its corresponding pipe is enabled
    - drm/i915/tc: Fix TC port link ref init for DP MST during HW readout
    - drm/i915/tc: Fix system resume MST mode restore for DP-alt sinks
    - drm/i915/tc: Wait for IOM/FW PHY initialization of legacy TC ports
    - drm/i915/tc: Factor out helpers converting HPD mask to TC mode
    - drm/i915/tc: Fix target TC mode for a disconnected legacy port
    - drm/i915/tc: Fix TC mode for a legacy port if the PHY is not ready
    - drm/i915/tc: Fix initial TC mode on disabled legacy ports
    - drm/i915/tc: Make the TC mode readout consistent in all PHY states
    - drm/i915: Add encoder hook to get the PLL type used by TC ports
    - drm/i915/tc: Assume a TC port is legacy if VBT says the port has HDMI
    - drm/i915/tc: Factor out a function querying active links on a TC port
    - drm/i915/tc: Check the PLL type used by an enabled TC port
    - drm/i915/tc: Group the TC PHY setup/query functions per platform
    - drm/i915/tc: Use the adlp prefix for ADLP TC PHY functions
    - drm/i915/tc: Rename tc_phy_status_complete() to tc_phy_is_ready()
    - drm/i915/tc: Use the tc_phy prefix for all TC PHY functions
    - drm/i915/tc: Move TC port fields to a new intel_tc_port struct
    - drm/i915/tc: Check for TC PHY explicitly in
      intel_tc_port_fia_max_lane_count()
    - drm/i915/tc: Move the intel_tc_port struct declaration to intel_tc.c
    - drm/i915/tc: Add TC PHY hook to get the PHY HPD live status
    - drm/i915/tc: Add TC PHY hooks to get the PHY ready/owned state
    - drm/i915/tc: Add TC PHY hook to read out the PHY HW state
    - drm/i915/tc: Add generic TC PHY connect/disconnect handlers
    - drm/i915/tc: Factor out tc_phy_verify_legacy_or_dp_alt_mode()
    - drm/i915/tc: Add TC PHY hooks to connect/disconnect the PHY
    - drm/i915/tc: Fix up the legacy VBT flag only in disconnected mode
    - drm/i915/tc: Check TC mode instead of the VBT legacy flag
    - drm/i915/tc: Block/unblock TC-cold in the PHY connect/disconnect hooks
    - drm/i915/tc: Remove redundant wakeref=0 check from unblock_tc_cold()
    - drm/i915/tc: Drop tc_cold_block()/unblock()'s power domain parameter
    - drm/i915/tc: Add TC PHY hook to get the TC-cold blocking power domain
    - drm/i915/tc: Add asserts in TC PHY hooks that the required power is on
    - drm/i915/tc: Add TC PHY hook to init the PHY
    - drm/i915/adlp/tc: Use the DE HPD ISR register for hotplug detection
    - drm/i915/tc: Get power ref for reading the HPD live status register
    - drm/i915/tc: Don't connect the PHY in intel_tc_port_connected()
    - drm/i915/adlp/tc: Align the connect/disconnect PHY sequence with bspec
    - drm/i915: Move shared DPLL disabling into CRTC disable hook
    - drm/i915: Disable DPLLs before disconnecting the TC PHY
    - drm/i915: Remove TC PHY disconnect workaround
    - drm/i915: Remove the encoder update_prepare()/complete() hooks
    - drm/i915/dp_mst: Fix active port PLL selection for secondary MST streams
    - drm/i915: Fix PIPEDMC disabling for a bigjoiner configuration
    - drm/i915: Add helpers to reference/unreference a DPLL for a CRTC
    - drm/i915: Make the CRTC state consistent during sanitize-disabling
    - drm/i915: Update connector atomic state before crtc sanitize-disabling
    - drm/i915: Separate intel_crtc_disable_noatomic_begin/complete()
    - drm/i915: Factor out set_encoder_for_connector()
    - drm/i915: Add support for disabling any CRTCs during HW readout/sanitization
    - drm/i915/dp: Prevent link training fallback on disconnected port
    - drm/i915/dp: Factor out intel_dp_get_active_pipes()
    - drm/i915: Factor out a helper for handling atomic modeset locks/state
    - drm/i915/tc: Call TypeC port flush_work/cleanup without modeset locks held
    - drm/i915/tc: Reset TypeC PHYs left enabled in DP-alt mode after the sink
      disconnects

  * amdgpu: Fixes for S0i3 resume on Phoenix (LP: #2033654)
    - drm/amd/pm: skip the RLC stop when S0i3 suspend for SMU v13.0.4/11
    - drm/amdgpu: skip fence GFX interrupts disable/enable for S0ix
    - drm/amd: flush any delayed gfxoff on suspend entry

  * Fix panel brightness issues on HP laptops (LP: #2032704)
    - ACPI: video: Put ACPI video and its child devices into D0 on boot

  * Fix ACPI TAD  on some Intel based systems (LP: #2032767)
    - ACPI: TAD: Install SystemCMOS address space handler for ACPI000E

  * kdump doesn't work with UEFI secure boot and kernel lockdown enabled on
    ARM64 (LP: #2033007)
    - [Config]: Enable CONFIG_KEXEC_IMAGE_VERIFY_SIG

  * Request backport of xen timekeeping performance improvements (LP: #2033122)
    - x86/xen/time: prefer tsc as clocksource when it is invariant

  * Fix numerous AER related issues (LP: #2033025)
    - SAUCE: PCI/AER: Disable AER service during suspend, again
    - SAUCE: PCI/DPC: Disable DPC service during suspend, again

  * Enable D3cold at s2idle for Intel DG2 GPU (LP: #2033452)
    - drm/i915/dgfx: Enable d3cold at s2idle

  * CVE-2023-4569
    - netfilter: nf_tables: deactivate catchall elements in next generation

  * Fix non-working MT7921e when pre-boot WiFi is enabled (LP: #2026322)
    - wifi: mt76: mt7921e: fix init command fail with enabled device

  * Fix unreliable ethernet cable detection on I219 NIC (LP: #2028122)
    - e1000e: Use PME poll to circumvent unreliable ACPI wake

  * [SRU][Ubuntu 22.04.1] Unable to interpret the frequency values in
    cpuinfo_min_freq and cpuino_max_freq sysfs files. (LP: #2030924)
    - cpufreq: intel_pstate: Fix scaling for hybrid-capable

  * CVE-2023-40283
    - Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb

  * CVE-2023-20588
    - x86/bugs: Increase the x86 bugs vector size to two u32s
    - x86/CPU/AMD: Do not leak quotient data after a division by 0
    - x86/CPU/AMD: Fix the DIV(0) initial fix attempt

  * CVE-2023-4194
    - net: tun_chr_open(): set sk_uid from current_fsuid()
    - net: tap_open(): set sk_uid from current_fsuid()

  * CVE-2023-4155
    - KVM: SEV: snapshot the GHCB before accessing it
    - KVM: SEV: only access GHCB fields once

  * CVE-2023-1206
    - tcp: Reduce chance of collisions in inet6_hashfn().

  * Lunar update: upstream stable patchset 2023-08-03 (LP: #2029808)
    - RDMA/bnxt_re: Fix the page_size used during the MR creation
    - phy: amlogic: phy-meson-g12a-mipi-dphy-analog: fix CNTL2_DIF_TX_CTL0 value
    - RDMA/efa: Fix unsupported page sizes in device
    - RDMA/hns: Fix timeout attr in query qp for HIP08
    - RDMA/hns: Fix base address table allocation
    - RDMA/hns: Modify the value of long message loopback slice
    - dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()
    - RDMA/bnxt_re: Fix a possible memory leak
    - RDMA/bnxt_re: Fix return value of bnxt_re_process_raw_qp_pkt_rx
    - iommu/rockchip: Fix unwind goto issue
    - iommu/amd: Don't block updates to GATag if guest mode is on
    - iommu/amd: Handle GALog overflows
    - iommu/amd: Fix up merge conflict resolution
    - nfsd: make a copy of struct iattr before calling notify_change
    - dmaengine: pl330: rename _start to prevent build error
    - riscv: Fix unused variable warning when BUILTIN_DTB is set
    - net/mlx5: Drain health before unregistering devlink
    - net/mlx5: SF, Drain health before removing device
    - net/mlx5: fw_tracer, Fix event handling
    - net/mlx5e: Don't attach netdev profile while handling internal error
    - net: mellanox: mlxbf_gige: Fix skb_panic splat under memory pressure
    - netrom: fix info-leak in nr_write_internal()
    - af_packet: Fix data-races of pkt_sk(sk)->num.
    - tls: improve lockless access safety of tls_err_abort()
    - amd-xgbe: fix the false linkup in xgbe_phy_status
    - perf ftrace latency: Remove unnecessary "--" from --use-nsec option
    - mtd: rawnand: ingenic: fix empty stub helper definitions
    - RDMA/irdma: Prevent QP use after free
    - RDMA/irdma: Fix Local Invalidate fencing
    - af_packet: do not use READ_ONCE() in packet_bind()
    - tcp: deny tcp_disconnect() when threads are waiting
    - tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set
    - net/smc: Scan from current RMB list when no position specified
    - net/smc: Don't use RMBs not mapped to new link in SMCRv2 ADD LINK
    - net/sched: sch_ingress: Only create under TC_H_INGRESS
    - net/sched: sch_clsact: Only create under TC_H_CLSACT
    - net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs
    - net/sched: Prohibit regrafting ingress or clsact Qdiscs
    - net: sched: fix NULL pointer dereference in mq_attach
    - net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report
    - udp6: Fix race condition in udp6_sendmsg & connect
    - nfsd: fix double fget() bug in __write_ports_addfd()
    - nvme: fix the name of Zone Append for verbose logging
    - net/mlx5e: Fix error handling in mlx5e_refresh_tirs
    - net/mlx5: Read embedded cpu after init bit cleared
    - iommu/mediatek: Flush IOTLB completely only if domain has been attached
    - tcp: fix mishandling when the sack compression is deferred.
    - net: dsa: mv88e6xxx: Increase wait after reset deactivation
    - mtd: rawnand: marvell: ensure timing values are written
    - mtd: rawnand: marvell: don't set the NAND frequency select
    - rtnetlink: call validate_linkmsg in rtnl_create_link
    - mptcp: avoid unneeded __mptcp_nmpc_socket() usage
    - mptcp: add annotations around msk->subflow accesses
    - mptcp: avoid unneeded address copy
    - mptcp: simplify subflow_syn_recv_sock()
    - mptcp: consolidate passive msk socket initialization
    - mptcp: fix data race around msk->first access
    - mptcp: add annotations around sk->sk_shutdown accesses
    - drm/amdgpu: release gpu full access after "amdgpu_device_ip_late_init"
    - watchdog: menz069_wdt: fix watchdog initialisation
    - ALSA: hda: Glenfly: add HD Audio PCI IDs and HDMI Codec Vendor IDs.
    - ASoC: Intel: soc-acpi-cht: Add quirk for Nextbook Ares 8A tablet
    - drm/amdgpu: Use the default reset when loading or reloading the driver
    - mailbox: mailbox-test: Fix potential double-free in
      mbox_test_message_write()
    - btrfs: abort transaction when sibling keys check fails for leaves
    - ARM: 9295/1: unwind:fix unwind abort for uleb128 case
    - hwmon: (k10temp) Add PCI ID for family 19, model 78h
    - media: rcar-vin: Select correct interrupt mode for V4L2_FIELD_ALTERNATE
    - platform/x86: intel_scu_pcidrv: Add back PCI ID for Medfield
    - platform/mellanox: fix potential race in mlxbf-tmfifo driver
    - drm/amdgpu: set gfx9 onwards APU atomics support to be true
    - fbdev: imsttfb: Fix use after free bug in imsttfb_probe
    - fbdev: modedb: Add 1920x1080 at 60 Hz video mode
    - fbdev: stifb: Fix info entry in sti_struct on error path
    - nbd: Fix debugfs_create_dir error checking
    - block/rnbd: replace REQ_OP_FLUSH with REQ_OP_WRITE
    - nvme-pci: add NVME_QUIRK_BOGUS_NID for HS-SSD-FUTURE 2048G
    - nvme-pci: add quirk for missing secondary temperature thresholds
    - ASoC: amd: yc: Add DMI entry to support System76 Pangolin 12
    - ASoC: dwc: limit the number of overrun messages
    - um: harddog: fix modular build
    - xfrm: Check if_id in inbound policy/secpath match
    - ASoC: dt-bindings: Adjust #sound-dai-cells on TI's single-DAI codecs
    - ALSA: hda/realtek: Add quirks for ASUS GU604V and GU603V
    - ASoC: ssm2602: Add workaround for playback distortions
    - media: dvb_demux: fix a bug for the continuity counter
    - media: dvb-usb: az6027: fix three null-ptr-deref in az6027_i2c_xfer()
    - media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer()
    - media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer()
    - media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer
    - media: dvb-usb: digitv: fix null-ptr-deref in digitv_i2c_xfer()
    - media: dvb-usb: dw2102: fix uninit-value in su3000_read_mac_address
    - media: netup_unidvb: fix irq init by register it at the end of probe
    - media: dvb_ca_en50221: fix a size write bug
    - media: ttusb-dec: fix memory leak in ttusb_dec_exit_dvb()
    - media: mn88443x: fix !CONFIG_OF error by drop of_match_ptr from ID table
    - media: dvb-core: Fix use-after-free due on race condition at dvb_net
    - media: dvb-core: Fix use-after-free due to race at dvb_register_device()
    - media: dvb-core: Fix use-after-free due to race condition at dvb_ca_en50221
    - ASoC: SOF: debug: conditionally bump runtime_pm counter on exceptions
    - ASoC: SOF: pcm: fix pm_runtime imbalance in error handling
    - ASoC: SOF: sof-client-probes: fix pm_runtime imbalance in error handling
    - ASoC: SOF: pm: save io region state in case of errors in resume
    - s390/pkey: zeroize key blobs
    - s390/topology: honour nr_cpu_ids when adding CPUs
    - ACPI: resource: Add IRQ override quirk for LG UltraPC 17U70P
    - wifi: rtl8xxxu: fix authentication timeout due to incorrect RCR value
    - ARM: dts: stm32: add pin map for CAN controller on stm32f7
    - arm64/mm: mark private VM_FAULT_X defines as vm_fault_t
    - arm64: vdso: Pass (void *) to virt_to_page()
    - wifi: mac80211: simplify chanctx allocation
    - wifi: mac80211: consider reserved chanctx for mindef
    - wifi: mac80211: recalc chanctx mindef before assigning
    - wifi: iwlwifi: mvm: Add locking to the rate read flow
    - scsi: core: Decrease scsi_device's iorequest_cnt if dispatch failed
    - wifi: b43: fix incorrect __packed annotation
    - netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with
      CONFIG_NF_NAT
    - nvme-multipath: don't call blk_mark_disk_dead in nvme_mpath_remove_disk
    - nvme: do not let the user delete a ctrl before a complete initialization
    - ALSA: oss: avoid missing-prototype warnings
    - drm/msm: Be more shouty if per-process pgtables aren't working
    - atm: hide unused procfs functions
    - ceph: silence smatch warning in reconnect_caps_cb()
    - drm/amdgpu: skip disabling fence driver src_irqs when device is unplugged
    - ublk: fix AB-BA lockdep warning
    - nvme-pci: Add quirk for Teamgroup MP33 SSD
    - block: Deny writable memory mapping if block is read-only
    - KVM: arm64: vgic: Fix a circular locking issue
    - KVM: arm64: vgic: Wrap vgic_its_create() with config_lock
    - KVM: arm64: vgic: Fix locking comment
    - media: mediatek: vcodec: Only apply 4K frame sizes on decoder formats
    - mailbox: mailbox-test: fix a locking issue in mbox_test_message_write()
    - drivers: base: cacheinfo: Fix shared_cpu_map changes in event of CPU hotplug
    - media: uvcvideo: Don't expose unsupported formats to userspace
    - iio: accel: st_accel: Fix invalid mount_matrix on devices without ACPI _ONT
      method
    - iio: adc: mxs-lradc: fix the order of two cleanup operations
    - HID: google: add jewel USB id
    - HID: wacom: avoid integer overflow in wacom_intuos_inout()
    - iio: imu: inv_icm42600: fix timestamp reset
    - dt-bindings: iio: adc: renesas,rcar-gyroadc: Fix adi,ad7476 compatible value
    - iio: light: vcnl4035: fixed chip ID check
    - iio: adc: stm32-adc: skip adc-channels setup if none is present
    - iio: adc: ad_sigma_delta: Fix IRQ issue by setting IRQ_DISABLE_UNLAZY flag
    - iio: dac: mcp4725: Fix i2c_master_send() return value handling
    - iio: addac: ad74413: fix resistance input processing
    - iio: adc: ad7192: Change "shorted" channels to differential
    - iio: adc: stm32-adc: skip adc-diff-channels setup if none is present
    - iio: dac: build ad5758 driver when AD5758 is selected
    - net: usb: qmi_wwan: Set DTR quirk for BroadMobi BM818
    - dt-bindings: usb: snps,dwc3: Fix "snps,hsphy_interface" type
    - usb: cdns3: fix NCM gadget RX speed 20x slow than expection at iMX8QM
    - usb: gadget: f_fs: Add unbind event before functionfs_unbind
    - md/raid5: fix miscalculation of 'end_sector' in raid5_read_one_chunk()
    - misc: fastrpc: return -EPIPE to invocations on device removal
    - misc: fastrpc: reject new invocations during device removal
    - scsi: stex: Fix gcc 13 warnings
    - ata: libata-scsi: Use correct device no in ata_find_dev()
    - drm/amdgpu: enable tmz by default for GC 11.0.1
    - drm/amd/pm: reverse mclk and fclk clocks levels for SMU v13.0.4
    - drm/amd/pm: reverse mclk and fclk clocks levels for vangogh
    - drm/amd/pm: resolve reboot exception for si oland
    - drm/amd/pm: reverse mclk clocks levels for SMU v13.0.5
    - drm/amd/pm: reverse mclk and fclk clocks levels for yellow carp
    - drm/amd/pm: reverse mclk and fclk clocks levels for renoir
    - mmc: vub300: fix invalid response handling
    - mmc: pwrseq: sd8787: Fix WILC CHIP_EN and RESETN toggling order
    - tty: serial: fsl_lpuart: use UARTCTRL_TXINV to send break instead of
      UARTCTRL_SBK
    - btrfs: fix csum_tree_block page iteration to avoid tripping on
      -Werror=array-bounds
    - phy: qcom-qmp-combo: fix init-count imbalance
    - phy: qcom-qmp-pcie-msm8996: fix init-count imbalance
    - block: fix revalidate performance regression
    - powerpc/iommu: Limit number of TCEs to 512 for H_STUFF_TCE hcall
    - iommu/amd: Fix domain flush size when syncing iotlb
    - tpm, tpm_tis: correct tpm_tis_flags enumeration values
    - riscv: perf: Fix callchain parse error with kernel tracepoint events
    - io_uring: undeprecate epoll_ctl support
    - selinux: don't use make's grouped targets feature yet
    - mtdchar: mark bits of ioctl handler noinline
    - tracing/timerlat: Always wakeup the timerlat thread
    - tracing/histograms: Allow variables to have some modifiers
    - tracing/probe: trace_probe_primary_from_call(): checked list_first_entry
    - selftests: mptcp: connect: skip if MPTCP is not supported
    - selftests: mptcp: pm nl: skip if MPTCP is not supported
    - selftests: mptcp: join: skip if MPTCP is not supported
    - selftests: mptcp: sockopt: skip if MPTCP is not supported
    - selftests: mptcp: userspace pm: skip if MPTCP is not supported
    - mptcp: fix connect timeout handling
    - mptcp: fix active subflow finalization
    - ext4: add EA_INODE checking to ext4_iget()
    - ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find()
    - ext4: disallow ea_inodes with extended attributes
    - ext4: add lockdep annotations for i_data_sem for ea_inode's
    - fbcon: Fix null-ptr-deref in soft_cursor
    - serial: 8250_tegra: Fix an error handling path in tegra_uart_probe()
    - serial: cpm_uart: Fix a COMPILE_TEST dependency
    - powerpc/xmon: Use KSYM_NAME_LEN in array size
    - test_firmware: fix a memory leak with reqs buffer
    - test_firmware: fix the memory leak of the allocated firmware buffer
    - KVM: arm64: Populate fault info for watchpoint
    - KVM: x86: Account fastpath-only VM-Exits in vCPU stats
    - ksmbd: fix credit count leakage
    - ksmbd: fix UAF issue from opinfo->conn
    - ksmbd: fix incorrect AllocationSize set in smb2_get_info
    - ksmbd: fix slab-out-of-bounds read in smb2_handle_negotiate
    - ksmbd: fix multiple out-of-bounds read during context decoding
    - KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()
    - fs/ntfs3: Validate MFT flags before replaying logs
    - regmap: Account for register length when chunking
    - tpm, tpm_tis: Request threaded interrupt handler
    - iommu/amd/pgtbl_v2: Fix domain max address
    - drm/amd/display: Have Payload Properly Created After Resume
    - tls: rx: strp: don't use GFP_KERNEL in softirq context
    - selftests: mptcp: diag: skip if MPTCP is not supported
    - selftests: mptcp: simult flows: skip if MPTCP is not supported
    - selftests: mptcp: join: avoid using 'cmp --bytes'
    - ext4: enable the lazy init thread when remounting read/write
    - iommu: Make IPMMU_VMSA dependencies more strict
    - [Config] updateconfigs for IPMMU_VMSA
    - iommu/amd: Add missing domain type checks
    - efi: Bump stub image version for macOS HVF compatibility
    - rxrpc: Truncate UTS_RELEASE for rxrpc version
    - net: renesas: rswitch: Fix return value in error path of xmit
    - KVM: arm64: Prevent unconditional donation of unmapped regions from the host
    - KVM: arm64: Reload PTE after invoking walker callback on preorder traversal
    - iio: ad4130: Make sure clock provider gets removed
    - iio: adc: mt6370: Fix ibus and ibat scaling value of some specific vendor ID
      chips
    - iio: accel: kx022a fix irq getting
    - misc: fastrpc: Reassign memory ownership only for remote heap
    - module/decompress: Fix error checking on zstd decompression
    - dmaengine: at_hdmac: Repair bitfield macros for peripheral ID handling
    - dmaengine: at_hdmac: Extend the Flow Controller bitfield to three bits
    - test_firmware: prevent race conditions by a correct implementation of
      locking
    - KVM: arm64: Drop last page ref in kvm_pgtable_stage2_free_removed()
    - KVM: x86/mmu: Grab memslot for correct address space in NX recovery worker
    - Upstream stable to v6.1.33, v6.3.7
    - scsi: megaraid_sas: Add flexible array member for SGLs
    - net: sfp: fix state loss when updating state_hw_mask
    - spi: mt65xx: make sure operations completed before unloading
    - platform/surface: aggregator: Allow completion work-items to be executed in
      parallel
    - platform/surface: aggregator_tabletsw: Add support for book mode in KIP
      subsystem
    - spi: qup: Request DMA before enabling clocks
    - afs: Fix setting of mtime when creating a file/dir/symlink
    - wifi: mt76: mt7615: fix possible race in mt7615_mac_sta_poll
    - bpf, sockmap: Avoid potential NULL dereference in
      sk_psock_verdict_data_ready()
    - neighbour: fix unaligned access to pneigh_entry
    - net: dsa: lan9303: allow vid != 0 in port_fdb_{add|del} methods
    - net/ipv4: ping_group_range: allow GID from 2147483648 to 4294967294
    - bpf: Fix UAF in task local storage
    - bpf: Fix elem_size not being set for inner maps
    - net/ipv6: fix bool/int mismatch for skip_notify_on_dev_down
    - net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT
    - net: enetc: correct the statistics of rx bytes
    - net: enetc: correct rx_bytes statistics of XDP
    - net/sched: fq_pie: ensure reasonable TCA_FQ_PIE_QUANTUM values
    - Bluetooth: hci_sync: add lock to protect HCI_UNREGISTER
    - Bluetooth: Fix l2cap_disconnect_req deadlock
    - Bluetooth: ISO: don't try to remove CIG if there are bound CIS left
    - Bluetooth: L2CAP: Add missing checks for invalid DCID
    - wifi: mac80211: use correct iftype HE cap
    - wifi: cfg80211: reject bad AP MLD address
    - wifi: mac80211: mlme: fix non-inheritence element
    - wifi: mac80211: don't translate beacon/presp addrs
    - qed/qede: Fix scheduling while atomic
    - wifi: cfg80211: fix locking in sched scan stop work
    - selftests/bpf: Verify optval=NULL case
    - selftests/bpf: Fix sockopt_sk selftest
    - netfilter: nft_bitwise: fix register tracking
    - netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper
    - netfilter: ipset: Add schedule point in call_ad().
    - netfilter: nf_tables: out-of-bound check in chain blob
    - ipv6: rpl: Fix Route of Death.
    - tcp: gso: really support BIG TCP
    - rfs: annotate lockless accesses to sk->sk_rxhash
    - rfs: annotate lockless accesses to RFS sock flow table
    - net: sched: add rcu annotations around qdisc->qdisc_sleeping
    - drm/i915/selftests: Add some missing error propagation
    - net: sched: move rtm_tca_policy declaration to include file
    - net: sched: act_police: fix sparse errors in tcf_police_dump()
    - net: sched: fix possible refcount leak in tc_chain_tmplt_add()
    - bpf: Add extra path pointer check to d_path helper
    - drm/amdgpu: fix Null pointer dereference error in amdgpu_device_recover_vram
    - lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release()
    - net: bcmgenet: Fix EEE implementation
    - bnxt_en: Don't issue AP reset during ethtool's reset operation
    - bnxt_en: Query default VLAN before VNIC setup on a VF
    - bnxt_en: Skip firmware fatal error recovery if chip is not accessible
    - bnxt_en: Prevent kernel panic when receiving unexpected PHC_UPDATE event
    - bnxt_en: Implement .set_port / .unset_port UDP tunnel callbacks
    - batman-adv: Broken sync while rescheduling delayed work
    - Input: xpad - delete a Razer DeathAdder mouse VID/PID entry
    - Input: psmouse - fix OOB access in Elantech protocol
    - Input: fix open count when closing inhibited device
    - ALSA: hda: Fix kctl->id initialization
    - ALSA: ymfpci: Fix kctl->id initialization
    - ALSA: gus: Fix kctl->id initialization
    - ALSA: cmipci: Fix kctl->id initialization
    - ALSA: hda/realtek: Add quirk for Clevo NS50AU
    - ALSA: ice1712,ice1724: fix the kcontrol->id initialization
    - ALSA: hda/realtek: Add a quirk for HP Slim Desktop S01
    - ALSA: hda/realtek: Add quirks for Asus ROG 2024 laptops using CS35L41
    - drm/i915/gt: Use the correct error value when kernel_context() fails
    - drm/amdgpu: fix xclk freq on CHIP_STONEY
    - drm/amdgpu: change reserved vram info print
    - drm/amd/pm: Fix power context allocation in SMU13
    - drm/amd/display: Reduce sdp bw after urgent to 90%
    - wifi: iwlwifi: mvm: Fix -Warray-bounds bug in iwl_mvm_wait_d3_notif()
    - can: j1939: j1939_sk_send_loop_abort(): improved error queue handling in
      J1939 Socket
    - can: j1939: change j1939_netdev_lock type to mutex
    - can: j1939: avoid possible use-after-free when j1939_can_rx_register fails
    - mptcp: only send RM_ADDR in nl_cmd_remove
    - mptcp: add address into userspace pm list
    - mptcp: update userspace pm infos
    - selftests: mptcp: update userspace pm addr tests
    - selftests: mptcp: update userspace pm subflow tests
    - ceph: fix use-after-free bug for inodes when flushing capsnaps
    - s390/dasd: Use correct lock while counting channel queue length
    - Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk
    - Bluetooth: fix debugfs registration
    - Bluetooth: hci_qca: fix debugfs registration
    - tee: amdtee: Add return_origin to 'struct tee_cmd_load_ta'
    - rbd: move RBD_OBJ_FLAG_COPYUP_ENABLED flag setting
    - rbd: get snapshot context after exclusive lock is ensured to be held
    - virtio_net: use control_buf for coalesce params
    - soc: qcom: icc-bwmon: fix incorrect error code passed to dev_err_probe()
    - pinctrl: meson-axg: add missing GPIOA_18 gpio group
    - usb: usbfs: Enforce page requirements for mmap
    - usb: usbfs: Use consistent mmap functions
    - mm: page_table_check: Make it dependent on EXCLUSIVE_SYSTEM_RAM
    - mm: page_table_check: Ensure user pages are not slab pages
    - arm64: dts: qcom: sc8280xp: Flush RSC sleep & wake votes
    - ARM: at91: pm: fix imbalanced reference counter for ethernet devices
    - ARM: dts: at91: sama7g5ek: fix debounce delay property for shdwc
    - ASoC: codecs: wsa883x: do not set can_multi_write flag
    - ASoC: codecs: wsa881x: do not set can_multi_write flag
    - arm64: dts: qcom: sc7180-lite: Fix SDRAM freq for misidentified sc7180-lite
      boards
    - arm64: dts: imx8qm-mek: correct GPIOs for USDHC2 CD and WP signals
    - arm64: dts: imx8-ss-dma: assign default clock rate for lpuarts
    - ASoC: mediatek: mt8195-afe-pcm: Convert to platform remove callback
      returning void
    - ASoC: mediatek: mt8195: fix use-after-free in driver remove path
    - ASoC: simple-card-utils: fix PCM constraint error check
    - blk-mq: fix blk_mq_hw_ctx active request accounting
    - arm64: dts: imx8mn-beacon: Fix SPI CS pinmux
    - i2c: mv64xxx: Fix reading invalid status value in atomic mode
    - firmware: arm_ffa: Set handle field to zero in memory descriptor
    - gpio: sim: fix memory corruption when adding named lines and unnamed hogs
    - i2c: sprd: Delete i2c adapter in .remove's error path
    - riscv: mm: Ensure prot of VM_WRITE and VM_EXEC must be readable
    - eeprom: at24: also select REGMAP
    - soundwire: stream: Add missing clear of alloc_slave_rt
    - riscv: fix kprobe __user string arg print fault issue
    - [Config] updateconfigs for ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
    - vduse: avoid empty string for dev name
    - vhost: support PACKED when setting-getting vring_base
    - vhost_vdpa: support PACKED when setting-getting vring_base
    - ksmbd: fix out-of-bound read in deassemble_neg_contexts()
    - ksmbd: fix out-of-bound read in parse_lease_state()
    - ksmbd: check the validation of pdu_size in ksmbd_conn_handler_loop
    - ext4: only check dquot_initialize_needed() when debugging
    - wifi: rtw89: correct PS calculation for SUPPORTS_DYNAMIC_PS
    - wifi: rtw88: correct PS calculation for SUPPORTS_DYNAMIC_PS
    - Bluetooth: Split bt_iso_qos into dedicated structures
    - Bluetooth: ISO: consider right CIS when removing CIG at cleanup
    - Bluetooth: ISO: Fix CIG auto-allocation to select configurable CIG
    - netfilter: nf_tables: Add null check for nla_nest_start_noflag() in
      nft_dump_basechain_hook()
    - drm/lima: fix sched context destroy
    - net: openvswitch: fix upcall counter access before allocation
    - bnxt_en: Fix bnxt_hwrm_update_rss_hash_cfg()
    - Input: cyttsp5 - fix array length
    - soc: qcom: rpmh-rsc: drop redundant unsigned >=0 comparision
    - arm64: dts: qcom: sm6375-pdx225: Fix remoteproc firmware paths
    - vdpa/mlx5: Fix hang when cvq commands are triggered during device unregister
    - ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR()
    - Upstream stable to v6.1.34, v6.3.8

  * CVE-2023-4273
    - exfat: check if filename entries exceeds max filename length

  * CVE-2023-4128
    - net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-
      free
    - net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-
      free
    - net/sched: cls_route: No longer copy tcf_result on update to avoid use-
      after-free

  * CVE-2023-3212
    - gfs2: Don't deref jdesc in evict

Date: 2023-09-04 11:54:08.506021+00:00
Changed-By: Stefan Bader <stefan.bader at canonical.com>
Signed-By: Andy Whitcroft <apw at canonical.com>
https://launchpad.net/ubuntu/+source/linux/6.2.0-34.34
-------------- next part --------------
Sorry, changesfile not available.


More information about the lunar-changes mailing list