This bug was fixed in the package linux - 5.4.0-200.220
---------------
linux (5.4.0-200.220) focal; urgency=medium
* focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)
* Packaging resync (LP: #1786013)
- [Packaging] debian.master/dkms-versions -- update from kernel-versions
(main/2024.09.30)
* CVE-2024-26800
- tls: rx: coalesce exit paths in tls_decrypt_sg()
- tls: separate no-async decryption request handling from async
- tls: fix use-after-free on failed backlog decryption
* CVE-2024-26641
- ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
* CVE-2021-47212
- net/mlx5: Update error handler for UCTX and UMEM
* wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks
(LP: #2081085)
- bdi: use bdi_dev_name() to get device name
* Focal update: v5.4.284 upstream stable release (LP: #2081278)
- drm: panel-orientation-quirks: Add quirk for OrangePi Neo
- i2c: Fix conditional for substituting empty ACPI functions
- net: usb: qmi_wwan: add MeiG Smart SRM825L
- drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
- drm/amdgpu: fix overflowed array index read warning
- drm/amd/display: Check gpio_id before used as array index
- drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6
- drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
- drm/amd/display: Fix Coverity INTEGER_OVERFLOW within
dal_gpio_service_create
- drm/amdgpu: fix ucode out-of-bounds read warning
- drm/amdgpu: fix mc_data out-of-bounds read warning
- drm/amdkfd: Reconcile the definition and use of oem_id in struct
kfd_topology_device
- apparmor: fix possible NULL pointer dereference
- ionic: fix potential irq name truncation
- usbip: Don't submit special requests twice
- usb: typec: ucsi: Fix null pointer dereference in trace
- smack: tcp: ipv4, fix incorrect labeling
- wifi: cfg80211: make hash table duplicates more survivable
- drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
- media: uvcvideo: Enforce alignment of frame and interval
- block: initialize integrity buffer to zero before writing it to media
- net: set SOCK_RCU_FREE before inserting socket into hashtable
- virtio_net: Fix napi_skb_cache_put warning
- udf: Limit file size to 4TB
- i2c: Use IS_REACHABLE() for substituting empty ACPI functions
- sch/netem: fix use after free in netem_dequeue
- ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
- ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius
devices
- ata: libata: Fix memory leak for error path in ata_host_alloc()
- irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
- mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
- mmc: sdhci-of-aspeed: fix module autoloading
- fuse: update stats for pages in dropped aux writeback list
- fuse: use unsigned type for getxattr/listxattr size truncation
- reset: hi6220: Add support for AO reset controller
- clk: hi6220: use CLK_OF_DECLARE_DRIVER
- clk: qcom: clk-alpha-pll: Fix the pll post div mask
- clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API
- ila: call nf_unregister_net_hooks() sooner
- sched: sch_cake: fix bulk flow accounting logic for host fairness
- nilfs2: fix missing cleanup on rollforward recovery error
- nilfs2: fix state management in error path of log writing function
- ALSA: hda: Add input value sanity checks to HDMI channel map controls
- smack: unix sockets: fix accept()ed socket label
- irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
- af_unix: Remove put_pid()/put_cred() in copy_peercred().
- netfilter: nf_conncount: fix wrong variable type
- udf: Avoid excessive partition lengths
- wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
- usb: uas: set host status byte on data completion error
- PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)
- media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
- pcmcia: Use resource_size function on resource object
- can: bcm: Remove proc entry when dev is unregistered.
- igb: Fix not clearing TimeSync interrupts for 82580
- platform/x86: dell-smbios: Fix error path in dell_smbios_init()
- tcp_bpf: fix return value of tcp_bpf_sendmsg()
- cx82310_eth: re-enable ethernet mode after router reboot
- drivers/net/usb: Remove all strcpy() uses
- net: usb: don't write directly to netdev->dev_addr
- usbnet: modern method to get random MAC
- net: bridge: fdb: convert is_local to bitops
- net: bridge: fdb: convert is_static to bitops
- net: bridge: fdb: convert is_sticky to bitops
- net: bridge: fdb: convert added_by_user to bitops
- net: bridge: fdb: convert added_by_external_learn to use bitops
- net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
- net: dsa: vsc73xx: fix possible subblocks range of CAPT block
- ASoC: topology: Properly initialize soc_enum values
- dm init: Handle minors larger than 255
- iommu/vt-d: Handle volatile descriptor status read
- cgroup: Protect css->cgroup write under css_set_lock
- um: line: always fill *error_out in setup_one_line()
- devres: Initialize an uninitialized struct member
- pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
- hwmon: (adc128d818) Fix underflows seen when writing limit attributes
- hwmon: (lm95234) Fix underflows seen when writing limit attributes
- hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
- hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
- libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
- wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
- smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
- btrfs: replace BUG_ON with ASSERT in walk_down_proc()
- btrfs: clean up our handling of refs == 0 in snapshot delete
- PCI: Add missing bridge lock to pci_bus_lock()
- btrfs: initialize location to fix -Wmaybe-uninitialized in
btrfs_lookup_dentry()
- HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
- Input: uinput - reject requests with unreasonable number of slots
- usbnet: ipheth: race between ipheth_close and error handling
- Squashfs: sanity check symbolic link size
- of/irq: Prevent device address out-of-bounds read in interrupt map walk
- lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
- ata: pata_macio: Use WARN instead of BUG
- NFSv4: Add missing rescheduling points in
nfs_client_return_marked_delegations
- staging: iio: frequency: ad9834: Validate frequency parameter value
- iio: buffer-dmaengine: fix releasing dma channel on error
- iio: fix scale application in iio_convert_raw_to_processed_unlocked
- binder: fix UAF caused by offsets overwrite
- nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc
- uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
- Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic
- VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
- clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX
- clocksource/drivers/imx-tpm: Fix next event not taking effect sometime
- clocksource/drivers/timer-of: Remove percpu irq related code
- uprobes: Use kzalloc to allocate xol area
- ring-buffer: Rename ring_buffer_read() to read_buffer_iter_advance()
- tracing: Avoid possible softlockup in tracing_iter_reset()
- nilfs2: replace snprintf in show functions with sysfs_emit
- nilfs2: protect references to superblock parameters exposed in sysfs
- ACPI: processor: Return an error if acpi_processor_get_info() fails in
processor_add()
- ACPI: processor: Fix memory leaks in error paths of processor_add()
- arm64: acpi: Move get_cpu_for_acpi_id() to a header
- arm64: acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
- nvmet-tcp: fix kernel crash if commands allocation fails
- drm/i915/fence: Mark debug_fence_init_onstack() with __maybe_unused
- drm/i915/fence: Mark debug_fence_free() with __maybe_unused
- rtmutex: Drop rt_mutex::wait_lock before scheduling
- net, sunrpc: Remap EPERM in case of connection failure in
xs_tcp_setup_socket
- cx82310_eth: fix error return code in cx82310_bind()
- Linux 5.4.284
* CVE-2024-42244
- USB: serial: mos7840: fix crash on resume
* CVE-2024-40929
- wifi: iwlwifi: mvm: check n_ssids before accessing the ssids
* CVE-2024-41073
- nvme: avoid double free special payload
* CVE-2024-41071
- wifi: mac80211: Avoid address calculations via out of bounds array indexing
* CVE-2024-42229
- crypto: aead, cipher - zeroize key buffer after use
* CVE-2024-38611
- media: i2c: et8ek8: Don't strip remove function when driver is builtin
* CVE-2024-38602
- ax25: Fix reference count leak issues of ax25_dev
* CVE-2024-35848
- misc: eeprom: at24: fix regulator underflow
- misc: eeprom: at24: register nvmem only after eeprom is ready to use
- eeprom: at24: fix memory corruption race condition
* CVE-2024-26669
- net/sched: flower: Fix chain template offload
* CVE-2024-26668
- netfilter: nft_limit: rename stateful structure
- netfilter: nft_limit: reject configurations that cause integer overflow
* CVE-2024-26640
- net-zerocopy: Refactor frag-is-remappable test.
- tcp: add sanity checks to rx zerocopy
* CVE-2024-26607
- drm/bridge: sii902x: Fix probing race issue
* CVE-2023-52614
- PM / devfreq: Fix buffer overflow in trans_stat_show
* CVE-2023-52531
- wifi: iwlwifi: mvm: Fix a memory corruption issue
* CVE-2022-36402
- drm/vmwgfx: Use enum to represent graphics context capabilities
- drm/vmwgfx: Fix shader stage validation
* Focal update: v5.4.283 upstream stable release (LP: #2080595)
- fuse: Initialize beyond-EOF page contents before setting uptodate
- ALSA: usb-audio: Support Yamaha P-125 quirk entry
- xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
- s390/dasd: fix error recovery leading to data corruption on ESE devices
- arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to
NUMA_NO_NODE
- dm resume: don't return EINVAL when signalled
- dm persistent data: fix memory allocation failure
- vfs: Don't evict inode under the inode lru traversing context
- bitmap: introduce generic optimized bitmap_size()
- fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
- selinux: fix potential counting error in avc_add_xperms_decision()
- drm/amdgpu: Actually check flags for all context ops.
- memcg_write_event_control(): fix a user-triggerable oops
- overflow.h: Add flex_array_size() helper
- overflow: Implement size_t saturating arithmetic helpers
- s390/cio: rename bitmap_size() -> idset_bitmap_size()
- btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
- s390/uv: Panic for set and remove shared access UVC errors
- net/mlx5e: Correctly report errors for ethtool rx flows
- atm: idt77252: prevent use after free in dequeue_rx()
- net: axienet: Fix DMA descriptor cleanup path
- net: axienet: Improve DMA error handling
- net: axienet: Factor out TX descriptor chain cleanup
- net: axienet: Check for DMA mapping errors
- net: axienet: Drop MDIO interrupt registers from ethtools dump
- net: axienet: Wrap DMA pointer writes to prepare for 64 bit
- net: axienet: Upgrade descriptors to hold 64-bit addresses
- net: axienet: Autodetect 64-bit DMA capability
- net: axienet: Fix register defines comment description
- net: dsa: vsc73xx: pass value in phy_write operation
- net: hns3: fix a deadlock problem when config TC during resetting
- ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
- ssb: Fix division by zero issue in ssb_calc_clock_rate
- wifi: cw1200: Avoid processing an invalid TIM IE
- i2c: riic: avoid potential division by zero
- media: radio-isa: use dev_name to fill in bus_info
- staging: ks7010: disable bh on tx_dev_lock
- binfmt_misc: cleanup on filesystem umount
- scsi: spi: Fix sshdr use
- gfs2: setattr_chown: Add missing initialization
- wifi: iwlwifi: abort scan when rfkill on but device enabled
- IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock
- powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu
- nvmet-trace: avoid dereferencing pointer too early
- ext4: do not trim the group with corrupted block bitmap
- quota: Remove BUG_ON from dqget()
- media: pci: cx23885: check cx23885_vdev_init() return
- fs: binfmt_elf_efpic: don't use missing interpreter's properties
- scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()
- net/sun3_82586: Avoid reading past buffer in debug output
- drm/lima: set gp bus_stop bit before hard reset
- virtiofs: forbid newlines in tags
- md: clean up invalid BUG_ON in md_ioctl
- x86: Increase brk randomness entropy for 64-bit systems
- powerpc/boot: Handle allocation failure in simple_realloc()
- powerpc/boot: Only free if realloc() succeeds
- btrfs: change BUG_ON to assertion when checking for delayed_node root
- btrfs: handle invalid root reference found in may_destroy_subvol()
- btrfs: send: handle unexpected data in header buffer in begin_cmd()
- btrfs: delete pointless BUG_ON check on quota root in
btrfs_qgroup_account_extent()
- f2fs: fix to do sanity check in update_sit_entry
- usb: gadget: fsl: Increase size of name buffer for endpoints
- nvme: clear caller pointer on identify failure
- Bluetooth: bnep: Fix out-of-bound access
- nvmet-tcp: do not continue for invalid icreq
- NFS: avoid infinite loop in pnfs_update_layout.
- openrisc: Call setup_memory() earlier in the init sequence
- s390/iucv: fix receive buffer virtual vs physical address confusion
- usb: dwc3: core: Skip setting event buffers for host only controllers
- irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
- ext4: set the type of max_zeroout to unsigned int to avoid overflow
- nvmet-rdma: fix possible bad dereference when freeing rsps
- hrtimer: Prevent queuing of hrtimer without a function callback
- gtp: pull network headers in gtp_dev_xmit()
- block: use "unsigned long" for blk_validate_block_size().
- media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)
- dm mpath: pass IO start time to path selector
- dm: do not use waitqueue for request-based DM
- dm suspend: return -ERESTARTSYS instead of -EINTR
- Bluetooth: Make use of __check_timeout on hci_sched_le
- Bluetooth: hci_core: Fix not handling link timeouts propertly
- Bluetooth: hci_core: Fix LE quote calculation
- tc-testing: don't access non-existent variable on exception
- kcm: Serialise kcm_sendmsg() for the same socket.
- netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
- net: dsa: mv88e6xxx: global2: Expose ATU stats register
- net: dsa: mv88e6xxx: global1_atu: Add helper for get next
- net: dsa: mv88e6xxx: read FID when handling ATU violations
- net: dsa: mv88e6xxx: replace ATU violation prints with trace points
- net: dsa: mv88e6xxx: Fix out-of-bound access
- ipv6: prevent UAF in ip6_send_skb()
- net: xilinx: axienet: Always disable promiscuous mode
- net: xilinx: axienet: Fix dangling multicast addresses
- drm/msm: use drm_debug_enabled() to check for debug categories
- drm/msm/dpu: don't play tricks with debug macros
- mmc: mmc_test: Fix NULL dereference on allocation failure
- Bluetooth: MGMT: Add error handling to pair_device()
- HID: wacom: Defer calculation of resolution until resolution_code is known
- HID: microsoft: Add rumble support to latest xbox controllers
- cxgb4: add forgotten u64 ivlan cast before shift
- mmc: dw_mmc: allow biu and ciu clocks to defer
- ALSA: timer: Relax start tick time check for slave timer elements
- Input: MT - limit max slots
- tools: move alignment-related macros to new <linux/align.h>
- pinctrl: single: fix potential NULL dereference in pcs_get_function()
- wifi: mwifiex: duplicate static structs used in driver instances
- drm/amdkfd: don't allow mapping the MMIO HDP page with large pages
- filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64
- media: uvcvideo: Fix integer overflow calculating timestamp
- ata: libata-core: Fix null pointer dereference on error
- cgroup/cpuset: Prevent UAF in proc_cpuset_show()
- net:rds: Fix possible deadlock in rds_message_put
- soundwire: stream: fix programming slave ports for non-continous port maps
- r8152: Factor out OOB link list waits
- ethtool: check device is present when getting link settings
- gtp: fix a potential NULL pointer dereference
- net: busy-poll: use ktime_get_ns() instead of local_clock()
- nfc: pn533: Add dev_up/dev_down hooks to phy_ops
- nfc: pn533: Add autopoll capability
- nfc: pn533: Add poll mod list filling check
- soc: qcom: cmd-db: Map shared memory as WC, not WB
- cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller
- USB: serial: option: add MeiG Smart SRM825L
- usb: dwc3: omap: add missing depopulate in probe error path
- usb: dwc3: core: Prevent USB core invalid event buffer address access
- usb: dwc3: st: fix probed platform device ref count on probe error path
- usb: dwc3: st: add missing depopulate in probe error path
- usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in
remove_power_attributes()
- net: dsa: mv8e6xxx: Fix stub function parameters
- scsi: aacraid: Fix double-free on probe failure
- Linux 5.4.283
* CVE-2024-27051
- cpufreq: brcmstb-avs-cpufreq: add check for cpufreq_cpu_get's return value
- cpufreq: brcmstb-avs-cpufreq: ISO C90 forbids mixed declarations
* CVE-2024-26891
- PCI: Make pci_dev_is_disconnected() helper public for other drivers
- iommu/vt-d: Don't issue ATS Invalidation request when device is disconnected
* Focal update: v5.4.282 upstream stable release (LP: #2078388)
- EDAC, skx_common: Refactor so that we initialize "dev" in result of adxl
decode.
- EDAC, skx: Retrieve and print retry_rd_err_log registers
- EDAC/skx_common: Add new ADXL components for 2-level memory
- EDAC, i10nm: make skx_common.o a separate module
- platform/chrome: cros_ec_debugfs: fix wrong EC message version
- hfsplus: fix to avoid false alarm of circular locking
- x86/of: Return consistent error type from x86_of_pci_irq_enable()
- x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling
- x86/pci/xen: Fix PCIBIOS_* return code handling
- x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
- hwmon: (adt7475) Fix default duty on fan is disabled
- pwm: stm32: Always do lazy disabling
- hwmon: (max6697) Fix underflow when writing limit attributes
- hwmon: (max6697) Fix swapped temp{1,8} critical alarms
- arm64: dts: qcom: sdm845: add power-domain to UFS PHY
- arm64: dts: qcom: msm8996: specify UFS core_clk frequencies
- arm64: dts: rockchip: Increase VOP clk rate on RK3328
- ARM: dts: imx6qdl-kontron-samx6i: move phy reset into phy-node
- ARM: dts: imx6qdl-kontron-samx6i: fix PHY reset
- ARM: dts: imx6qdl-kontron-samx6i: fix board reset
- ARM: dts: imx6qdl-kontron-samx6i: fix PCIe reset polarity
- arm64: dts: mediatek: mt7622: fix "emmc" pinctrl mux
- arm64: dts: amlogic: gx: correct hdmi clocks
- m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages
- x86/xen: Convert comma to semicolon
- m68k: cmpxchg: Fix return value for default case in __arch_xchg()
- firmware: turris-mox-rwtm: Fix checking return value of
wait_for_completion_timeout()
- firmware: turris-mox-rwtm: Initialize completion before mailbox
- wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
- net/smc: Allow SMC-D 1MB DMB allocations
- net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when
CONFIG_ARCH_NO_SG_CHAIN is defined
- selftests/bpf: Check length of recv in test_sockmap
- lib: objagg: Fix general protection fault
- mlxsw: spectrum_acl_erp: Fix object nesting warning
- wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
- wifi: cfg80211: handle 2x996 RU allocation in
cfg80211_calculate_bitrate_he()
- net: fec: Refactor: #define magic constants
- net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
- ipvs: Avoid unnecessary calls to skb_is_gso_sctp
- netfilter: nf_tables: rise cap on SELinux secmark context
- perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation
- perf: Fix perf_aux_size() for greater-than 32-bit size
- perf: Prevent passing zero nr_pages to rb_alloc_aux()
- qed: Improve the stack space of filter_config()
- wifi: virt_wifi: avoid reporting connection success with wrong SSID
- gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey
- wifi: virt_wifi: don't use strlen() in const context
- bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
- selftests: forwarding: devlink_lib: Wait for udev events after reloading
- media: dvb-usb: Fix unexpected infinite loop in
dvb_usb_read_remote_control()
- media: imon: Fix race getting ictx->lock
- saa7134: Unchecked i2c_transfer function result fixed
- media: uvcvideo: Allow entity-defined get_info and get_cur
- media: uvcvideo: Override default flags
- media: renesas: vsp1: Fix _irqsave and _irq mix
- media: renesas: vsp1: Store RPF partition configuration per RPF instance
- leds: trigger: Unregister sysfs attributes before calling deactivate()
- perf report: Fix condition in sort__sym_cmp()
- drm/etnaviv: fix DMA direction handling for cached RW buffers
- drm/qxl: Add check for drm_cvt_mode
- mfd: omap-usb-tll: Use struct_size to allocate tll
- SUNRPC: avoid soft lockup when transmitting UDP to reachable server.
- ext4: avoid writing unitialized memory to disk in EA inodes
- sparc64: Fix incorrect function signature and add prototype for
prom_cif_init
- SUNRPC: Fixup gss_status tracepoint error output
- PCI: Fix resource double counting on remove & rescan
- Input: qt1050 - handle CHIP_ID reading error
- RDMA/mlx4: Fix truncated output warning in mad.c
- RDMA/mlx4: Fix truncated output warning in alias_GUID.c
- RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
- ASoC: max98088: Check for clk_prepare_enable() error
- mtd: make mtd_test.c a separate module
- RDMA/device: Return error earlier if port in not valid
- Input: elan_i2c - do not leave interrupt disabled on suspend failure
- MIPS: Octeron: remove source file executable bit
- powerpc/xmon: Fix disassembly CPU feature checks
- macintosh/therm_windtunnel: fix module unload.
- bnxt_re: Fix imm_data endianness
- netfilter: ctnetlink: use helper function to calculate expect ID
- pinctrl: core: fix possible memory leak when pinctrl_enable() fails
- pinctrl: single: fix possible memory leak when pinctrl_enable() fails
- pinctrl: ti: ti-iodelay: Drop if block with always false condition
- pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable()
fails
- pinctrl: freescale: mxs: Fix refcount of child
- fs/nilfs2: remove some unused macros to tame gcc
- nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
- rtc: interface: Add RTC offset to alarm after fix-up
- tick/broadcast: Make takeover of broadcast hrtimer reliable
- net: netconsole: Disable target before netpoll cleanup
- af_packet: Handle outgoing VLAN packets without hardware offloading
- ipv6: take care of scope when choosing the src addr
- char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
- media: venus: fix use after free in vdec_close
- hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
- drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes
- drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes
- drm/amd/display: Check for NULL pointer
- udf: Avoid using corrupted block bitmap buffer
- m68k: amiga: Turn off Warp1260 interrupts during boot
- ext4: check dot and dotdot of dx_root before making dir indexed
- ext4: make sure the first directory block is not a hole
- wifi: mwifiex: Fix interface type change
- leds: ss4200: Convert PCIBIOS_* return codes to errnos
- tools/memory-model: Fix bug in lock.cat
- hwrng: amd - Convert PCIBIOS_* return codes to errnos
- PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
- binder: fix hang of unregistered readers
- scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
- f2fs: fix to don't dirty inode for readonly filesystem
- clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use
- ubi: eba: properly rollback inside self_check_eba
- decompress_bunzip2: fix rare decompression failure
- kobject_uevent: Fix OOB access within zap_modalias_env()
- rtc: cmos: Fix return value of nvmem callbacks
- scsi: qla2xxx: During vport delete send async logout explicitly
- scsi: qla2xxx: Fix for possible memory corruption
- scsi: qla2xxx: Complete command early within lock
- scsi: qla2xxx: validate nvme_local_port correctly
- perf/x86/intel/pt: Fix topa_entry base length
- perf/x86/intel/pt: Fix a topa_entry base address calculation
- rtc: isl1208: Fix return value of nvmem callbacks
- watchdog/perf: properly initialize the turbo mode timestamp and rearm
counter
- platform: mips: cpu_hwmon: Disable driver on unsupported hardware
- RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
- selftests/sigaltstack: Fix ppc64 GCC build
- rbd: don't assume rbd_is_lock_owner() for exclusive mappings
- drm/panfrost: Mark simple_ondemand governor as softdep
- rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait
- rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings
- Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
- Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
- nilfs2: handle inconsistent state in nilfs_btnode_create_block()
- kdb: address -Wformat-security warnings
- kdb: Use the passed prompt in kdb_position_cursor()
- jfs: Fix array-index-out-of-bounds in diFree
- um: time-travel: fix time-travel-start option
- libbpf: Fix no-args func prototype BTF dumping syntax
- dma: fix call order in dmam_free_coherent
- MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
- ipv4: Fix incorrect source address in Record Route option
- net: bonding: correctly annotate RCU in bond_should_notify_peers()
- tipc: Return non-zero value from tipc_udp_addr2str() on error
- net: nexthop: Initialize all fields in dumped nexthops
- bpf: Fix a segment issue when downgrading gso_size
- mISDN: Fix a use after free in hfcmulti_tx()
- powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()
- ASoC: Intel: Convert to new X86 CPU match macros
- ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header
- ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable
- nvme-pci: add missing condition check for existence of mapped data
- mm: avoid overflows in dirty throttling logic
- PCI: rockchip: Make 'ep-gpios' DT property optional
- PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
- parport: Convert printk(KERN_<LEVEL> to pr_<level>(
- parport: Standardize use of printmode
- dev/parport: fix the array out-of-bounds risk
- driver core: Cast to (void *) with __force for __percpu pointer
- devres: Fix memory leakage caused by driver API devm_free_percpu()
- genirq: Allow the PM device to originate from irq domain
- irqchip/imx-irqsteer: Constify irq_chip struct
- irqchip/imx-irqsteer: Add runtime PM support
- irqchip/imx-irqsteer: Handle runtime power management correctly
- remoteproc: imx_rproc: ignore mapping vdev regions
- remoteproc: imx_rproc: Fix ignoring mapping vdev regions
- remoteproc: imx_rproc: Skip over memory region when node value is NULL
- drm/nouveau: prime: fix refcount underflow
- drm/vmwgfx: Fix overlay when using Screen Targets
- net/iucv: fix use after free in iucv_sock_close()
- net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
- ipv6: fix ndisc_is_useropt() handling for PIO
- HID: wacom: Modify pen IDs
- protect the fetch of ->fd[fd] in do_dup2() from mispredictions
- ALSA: usb-audio: Correct surround channels in UAC1 channel map
- net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
- netfilter: ipset: Add list flush to cancel_gc
- genirq: Allow irq_chip registration functions to take a const irq_chip
- irqchip/mbigen: Fix mbigen node address layout
- x86/mm: Fix pti_clone_pgtable() alignment assumption
- sctp: move hlist_node and hashent out of sctp_ep_common
- sctp: Fix null-ptr-deref in reuseport_add_sock().
- net: usb: qmi_wwan: fix memory leak for not ip packets
- net: linkwatch: use system_unbound_wq
- Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
- net: fec: Stop PPS on driver remove
- md/raid5: avoid BUG_ON() while continue reshape after reassembling
- clocksource/drivers/sh_cmt: Address race condition for clock events
- ACPI: battery: create alarm sysfs attribute atomically
- ACPI: SBS: manage alarm sysfs attribute through psy core
- selftests/bpf: Fix send_signal test with nested CONFIG_PARAVIRT
- PCI: Add Edimax Vendor ID to pci_ids.h
- udf: prevent integer overflow in udf_bitmap_free_blocks()
- wifi: nl80211: don't give key data to userspace
- btrfs: fix bitmap leak when loading free space cache on duplicate entry
- drm/amdgpu: Fix the null pointer dereference to ras_manager
- media: uvcvideo: Ignore empty TS packets
- media: uvcvideo: Fix the bandwdith quirk on USB 3.x
- jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
- s390/sclp: Prevent release of buffer in I/O
- SUNRPC: Fix a race to wake a sync task
- ext4: fix wrong unit use in ext4_mb_find_by_goal
- arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-
space
- arm64: Add Neoverse-V2 part
- arm64: cputype: Add Cortex-X4 definitions
- arm64: cputype: Add Neoverse-V3 definitions
- arm64: errata: Add workaround for Arm errata 3194386 and 3312417
- [Config] Set ARM64_ERRATUM_3194386=y
- arm64: cputype: Add Cortex-X3 definitions
- arm64: cputype: Add Cortex-A720 definitions
- arm64: cputype: Add Cortex-X925 definitions
- arm64: errata: Unify speculative SSBS errata logic
- arm64: errata: Expand speculative SSBS workaround
- arm64: cputype: Add Cortex-X1C definitions
- arm64: cputype: Add Cortex-A725 definitions
- arm64: errata: Expand speculative SSBS workaround (again)
- i2c: smbus: Don't filter out duplicate alerts
- i2c: smbus: Improve handling of stuck alerts
- i2c: smbus: Send alert notifications to all devices if source not found
- bpf: kprobe: remove unused declaring of bpf_kprobe_override
- spi: fsl-lpspi: remove unneeded array
- spi: spi-fsl-lpspi: Fix scldiv calculation
- drm/client: fix null pointer dereference in drm_client_modeset_probe
- ALSA: line6: Fix racy access to midibuf
- ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
- ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
- usb: vhci-hcd: Do not drop references before new references are gained
- USB: serial: debug: do not echo input by default
- usb: gadget: core: Check for unset descriptor
- scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
- tick/broadcast: Move per CPU pointer access into the atomic section
- ntp: Clamp maxerror and esterror to operating range
- driver core: Fix uevent_show() vs driver detach race
- ntp: Safeguard against time_constant overflow
- scsi: mpt3sas: Remove scsi_dma_map() error messages
- scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
- serial: core: check uartclk for zero to avoid divide by zero
- genirq/irqdesc: Honor caller provided affinity in alloc_desc()
- power: supply: axp288_charger: Fix constant_charge_voltage writes
- power: supply: axp288_charger: Round constant_charge_voltage writes down
- tracing: Fix overflow in get_free_elt()
- x86/mtrr: Check if fixed MTRRs exist before saving them
- drm/bridge: analogix_dp: properly handle zero sized AUX transactions
- drm/mgag200: Set DDC timeout in milliseconds
- Fix gcc 4.9 build issue in 5.4.y
- kbuild: Fix '-S -c' in x86 stack protector scripts
- netfilter: nf_tables: set element extended ACK reporting support
- netfilter: nf_tables: prefer nft_chain_validate
- drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
- arm64: cpufeature: Fix the visibility of compat hwcaps
- media: uvcvideo: Use entity get_cur in uvc_ctrl_set
- exec: Fix ToCToU between perm check and set-uid/gid usage
- nvme/pci: Add APST quirk for Lenovo N60z laptop
- ARM: dts: imx6qdl-kontron-samx6i: fix phy-mode
- media: Revert "media: dvb-usb: Fix unexpected infinite loop in
dvb_usb_read_remote_control()"
- Linux 5.4.282
* CVE-2024-26885
- bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
* Focal update: v5.4.281 upstream stable release (LP: #2076097)
- gcc-plugins: Rename last_stmt() for GCC 14+
- filelock: Remove locks reliably when fcntl/close race is detected
- scsi: qedf: Set qed_slowpath_params to zero before use
- ACPI: EC: Abort address space access upon error
- ACPI: EC: Avoid returning AE_OK on errors in address space handler
- wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata
- wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()
- Input: silead - Always support 10 fingers
- ila: block BH in ila_output()
- kconfig: gconf: give a proper initial state to the Save button
- kconfig: remove wrong expr_trans_bool()
- fs/file: fix the check in find_next_fd()
- mei: demote client disconnect warning on suspend to debug
- wifi: cfg80211: wext: add extra SIOCSIWSCAN data check
- KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()
- ALSA: hda/realtek: Add more codec ID to no shutup pins list
- mips: fix compat_sys_lseek syscall
- Input: elantech - fix touchpad state on resume for Lenovo N24
- bytcr_rt5640 : inverse jack detect for Archos 101 cesium
- ASoC: ti: davinci-mcasp: Set min period size using FIFO config
- ASoC: ti: omap-hdmi: Fix too long driver name
- can: kvaser_usb: fix return value for hif_usb_send_regout
- s390/sclp: Fix sclp_init() cleanup on failure
- ALSA: dmaengine_pcm: terminate dmaengine before synchronize
- net: usb: qmi_wwan: add Telit FN912 compositions
- net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and
DEV_STATS_ADD()
- powerpc/pseries: Whitelist dtl slub object for copying to userspace
- powerpc/eeh: avoid possible crash when edev->pdev changes
- scsi: libsas: Fix exp-attached device scan after probe failure scanned in
again after probe failed
- Bluetooth: hci_core: cancel all works upon hci_unregister_dev()
- fs: better handle deep ancestor chains in is_subdir()
- spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices
- selftests/vDSO: fix clang build errors and warnings
- hfsplus: fix uninit-value in copy_name
- ARM: 9324/1: fix get_user() broken with veneer
- ACPI: processor_idle: Fix invalid comparison with insertion sort for latency
- drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()
- net: relax socket state check at accept time.
- ocfs2: add bounds checking to ocfs2_check_dir_entry()
- jfs: don't walk off the end of ealist
- ALSA: hda/realtek: Enable headset mic on Positivo SU C1400
- filelock: Fix fcntl/close race recovery compat path
- tun: add missing verification for short frame
- tap: add missing verification for short frame
- Linux 5.4.281
* Focal update: v5.4.283 upstream stable release (LP: #2080595) //
CVE-2024-45016
- netem: fix return value if duplicate enqueue fails
* CVE-2024-38630
- watchdog: cpu5wdt.c: Fix use-after-free bug caused by cpu5wdt_trigger
* CVE-2024-27397
- netfilter: nf_tables: use timestamp to check for set element timeout
* CVE-2024-26960
- mm: swap: fix race between free_swap_and_cache() and swapoff()
-- Stefan Bader <stefan.bader@canonical.com> Fri, 27 Sep 2024 14:40:47
+0200
** Changed in: linux (Ubuntu Focal)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-47212
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-36402
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-52531
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-52614
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26607
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26640
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26641
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26668
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26669
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26800
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26885
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26891
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26960
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-27051
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-27397
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-35848
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38602
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38611
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38630
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-40929
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-41071
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-41073
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-42229
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-42244
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-45016
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2076097
Title:
Focal update: v5.4.281 upstream stable release
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Focal:
Fix Released
Bug description:
SRU Justification
Impact:
The upstream process for stable tree updates is quite similar
in scope to the Ubuntu SRU process, e.g., each patch has to
demonstrably fix a bug, and each patch is vetted by upstream
by originating either directly from a mainline/stable Linux tree or
a minimally backported form of that patch. The following upstream
stable patches should be included in the Ubuntu kernel:
v5.4.281 upstream stable release
from git://git.kernel.org/
gcc-plugins: Rename last_stmt() for GCC 14+
filelock: Remove locks reliably when fcntl/close race is detected
scsi: qedf: Set qed_slowpath_params to zero before use
ACPI: EC: Abort address space access upon error
ACPI: EC: Avoid returning AE_OK on errors in address space handler
wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata
wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan()
Input: silead - Always support 10 fingers
ila: block BH in ila_output()
kconfig: gconf: give a proper initial state to the Save button
kconfig: remove wrong expr_trans_bool()
fs/file: fix the check in find_next_fd()
mei: demote client disconnect warning on suspend to debug
wifi: cfg80211: wext: add extra SIOCSIWSCAN data check
KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()
ALSA: hda/realtek: Add more codec ID to no shutup pins list
mips: fix compat_sys_lseek syscall
Input: elantech - fix touchpad state on resume for Lenovo N24
bytcr_rt5640 : inverse jack detect for Archos 101 cesium
ASoC: ti: davinci-mcasp: Set min period size using FIFO config
ASoC: ti: omap-hdmi: Fix too long driver name
can: kvaser_usb: fix return value for hif_usb_send_regout
s390/sclp: Fix sclp_init() cleanup on failure
ALSA: dmaengine_pcm: terminate dmaengine before synchronize
net: usb: qmi_wwan: add Telit FN912 compositions
net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()
powerpc/pseries: Whitelist dtl slub object for copying to userspace
powerpc/eeh: avoid possible crash when edev->pdev changes
scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed
Bluetooth: hci_core: cancel all works upon hci_unregister_dev()
fs: better handle deep ancestor chains in is_subdir()
spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices
selftests/vDSO: fix clang build errors and warnings
hfsplus: fix uninit-value in copy_name
ARM: 9324/1: fix get_user() broken with veneer
ACPI: processor_idle: Fix invalid comparison with insertion sort for latency
drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq()
net: relax socket state check at accept time.
ocfs2: add bounds checking to ocfs2_check_dir_entry()
jfs: don't walk off the end of ealist
ALSA: hda/realtek: Enable headset mic on Positivo SU C1400
filelock: Fix fcntl/close race recovery compat path
tun: add missing verification for short frame
tap: add missing verification for short frame
Linux 5.4.281
UBUNTU: Upstream stable to v5.4.281
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2076097/+subscriptions
Комментариев нет:
Отправить комментарий