Bug #2001564 “Kernel crash due to Bluefield pka TRNG ioctl call” : Bugs : linux-bluefield package : Ubuntu

Shih-Yi Chen (shihyic) on 2023-01-03

description:

updated

Tim Gardner (timg-tpi) on 2023-01-06

Changed in linux-bluefield (Ubuntu Focal):
assignee:	nobody → Shih-Yi Chen (shihyic)
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux-bluefield (Ubuntu Jammy):
assignee:	nobody → Shih-Yi Chen (shihyic)
importance:	Undecided → Medium
status:	New → In Progress
Changed in linux-bluefield (Ubuntu):
status:	New → Invalid

Bartlomiej Zolnierkiewicz (bzolnier) on 2023-01-13

Changed in linux-bluefield (Ubuntu Focal):
status:	In Progress → Fix Committed
Changed in linux-bluefield (Ubuntu Jammy):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-02-08:

#1

This bug is awaiting verification that the linux-bluefield/5.4.0-1057.63 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-bluefield verification-needed-focal

Shih-Yi Chen (shihyic) on 2023-02-08

tags:

added: verification-done-focal
removed: verification-needed-focal

Khoa Vo (khoadvo) on 2023-02-17

tags:

added: verification-done-jammy

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-03-02:

#2

Download full text (30.0 KiB)

This bug was fixed in the package linux-bluefield - 5.4.0-1058.64

---------------
linux-bluefield (5.4.0-1058.64) focal; urgency=medium

* focal/linux-bluefield: 5.4.0-1058.64 -proposed tracker (LP: #2006592)

  * nft_lookup crash when running DDOS attack (LP: #2006397)
    - netfilter: nf_tables: constify nft_reg_load{8, 16, 64}()
    - netfilter: nft_set_bitmap: initialize set element extension in lookups
    - netfilter: nf_tables: do not update stateful expressions if lookup is
      inverted

linux-bluefield (5.4.0-1057.63) focal; urgency=medium

* focal/linux-bluefield: 5.4.0-1057.63 -proposed tracker (LP: #2003464)

* Focal update: v5.4.221 upstream stable release (LP: #1997993)
- [Config] bluefield: Enable ARM64_ERRATUM_1742098 config on arm64

* mlxbf-pmc counters not functional for llt_miss block (LP: #2004235)
- SAUCE: mlxbf-pmc: Bug fix for BlueField-3 counter offsets

  * Add support for CT accounting stats (LP: #1998938)
    - netfilter: conntrack: export nf_ct_acct_update()
    - netfilter: flowtable: add counter support
    - net/sched: act_ct: update nf_conn_acct for act_ct SW offload in flowtable
    - net/sched: act_ct: enable stats for HW offloaded entries

  * allow per-net notifier to follow netdev into namespace (LP: #2002361)
    - net: push loops and nb calls into helper functions
    - net: introduce per-netns netdevice notifiers
    - net: push code from net notifier reg/unreg into helpers
    - net: introduce dev_net notifier register/unregister variants

* mlxbf-pmc support for BlueField-3 (LP: #2002501)
- SAUCE: mlxbf-pmc: Support for BlueField-3 performance counters

* Kernel crash due to Bluefield pka TRNG ioctl call (LP: #2001564)
- SAUCE: mlxbf-pka: Fix kernel crash with pka TRNG ioctl call

* mlxbf-pmc: Fix event string typo (LP: #1998863)
- SAUCE: mlxbf-pmc: Fix event string typo

[ Ubuntu: 5.4.0-139.156 ]

  * focal/linux: 5.4.0-139.156 -proposed tracker (LP: #2003486)
  * Revoke & rotate to new signing key (LP: #2002812)
    - [Packaging] Revoke and rotate to new signing key

[ Ubuntu: 5.4.0-138.155 ]

  * focal/linux: 5.4.0-138.155 -proposed tracker (LP: #2001845)
  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
  * Focal update: v5.4.224 upstream stable release (LP: #1999273)
    - RDMA/cma: Use output interface for net_dev check
    - IB/hfi1: Correctly move list in sc_disable()
    - NFSv4.1: Handle RECLAIM_COMPLETE trunking errors
    - NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot
    - nfs4: Fix kmemleak when allocate slot failed
    - net: dsa: Fix possible memory leaks in dsa_loop_init()
    - RDMA/core: Fix null-ptr-deref in ib_core_cleanup()
    - RDMA/qedr: clean up work queue on failure in qedr_alloc_resources()
    - nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send()
    - nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()
    - net: fec: fix improper use of NETDEV_TX_BUSY
    - ata: pata_legacy: fix pdc20230_set_piomode()
    - net: sched: Fix use after free in red_enqueue()
    - net: tun: fix bugs for oversize packet when napi frags enabled
    - netfilter: nf_tables: release flow ru...

This bug was fixed in the package linux-bluefield - 5.4.0-1058.64

---------------
linux-bluefield (5.4.0-1058.64) focal; urgency=medium

* focal/linux-bluefield: 5.4.0-1058.64 -proposed tracker (LP: #2006592)

* nft_lookup crash when running DDOS attack (LP: #2006397)
    - netfilter: nf_tables: constify nft_reg_load{8, 16, 64}()
    - netfilter: nft_set_bitmap: initialize set element extension in lookups
    - netfilter: nf_tables: do not update stateful expressions if lookup is
      inverted

linux-bluefield (5.4.0-1057.63) focal; urgency=medium

* focal/linux-bluefield: 5.4.0-1057.63 -proposed tracker (LP: #2003464)

* Focal update: v5.4.221 upstream stable release (LP: #1997993)
    - [Config] bluefield: Enable ARM64_ERRATUM_1742098 config on arm64

* mlxbf-pmc counters not functional for llt_miss block (LP: #2004235)
    - SAUCE: mlxbf-pmc: Bug fix for BlueField-3 counter offsets

* Add support for CT accounting stats (LP: #1998938)
    - netfilter: conntrack: export nf_ct_acct_update()
    - netfilter: flowtable: add counter support
    - net/sched: act_ct: update nf_conn_acct for act_ct SW offload in flowtable
    - net/sched: act_ct: enable stats for HW offloaded entries

* allow per-net notifier to follow netdev into namespace (LP: #2002361)
    - net: push loops and nb calls into helper functions
    - net: introduce per-netns netdevice notifiers
    - net: push code from net notifier reg/unreg into helpers
    - net: introduce dev_net notifier register/unregister variants

* mlxbf-pmc support for BlueField-3 (LP: #2002501)
    - SAUCE: mlxbf-pmc: Support for BlueField-3 performance counters

* Kernel crash due to Bluefield pka TRNG ioctl call (LP: #2001564)
    - SAUCE: mlxbf-pka: Fix kernel crash with pka TRNG ioctl call

* mlxbf-pmc: Fix event string typo (LP: #1998863)
    - SAUCE: mlxbf-pmc: Fix event string typo

[ Ubuntu: 5.4.0-139.156 ]

* focal/linux: 5.4.0-139.156 -proposed tracker (LP: #2003486)
  * Revoke & rotate to new signing key (LP: #2002812)
    - [Packaging] Revoke and rotate to new signing key

[ Ubuntu: 5.4.0-138.155 ]

* focal/linux: 5.4.0-138.155 -proposed tracker (LP: #2001845)
  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
  * Focal update: v5.4.224 upstream stable release (LP: #1999273)
    - RDMA/cma: Use output interface for net_dev check
    - IB/hfi1: Correctly move list in sc_disable()
    - NFSv4.1: Handle RECLAIM_COMPLETE trunking errors
    - NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot
    - nfs4: Fix kmemleak when allocate slot failed
    - net: dsa: Fix possible memory leaks in dsa_loop_init()
    - RDMA/core: Fix null-ptr-deref in ib_core_cleanup()
    - RDMA/qedr: clean up work queue on failure in qedr_alloc_resources()
    - nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send()
    - nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()
    - net: fec: fix improper use of NETDEV_TX_BUSY
    - ata: pata_legacy: fix pdc20230_set_piomode()
    - net: sched: Fix use after free in red_enqueue()
    - net: tun: fix bugs for oversize packet when napi frags enabled
    - netfilter: nf_tables: release flow rule object from commit path
    - ipvs: use explicitly signed chars
    - ipvs: fix WARNING in __ip_vs_cleanup_batch()
    - ipvs: fix WARNING in ip_vs_app_net_cleanup()
    - rose: Fix NULL pointer dereference in rose_send_frame()
    - mISDN: fix possible memory leak in mISDN_register_device()
    - isdn: mISDN: netjet: fix wrong check of device registration
    - btrfs: fix inode list leak during backref walking at resolve_indirect_refs()
    - btrfs: fix inode list leak during backref walking at find_parent_nodes()
    - btrfs: fix ulist leaks in error paths of qgroup self tests
    - Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
    - net: mdio: fix undefined behavior in bit shift for __mdiobus_register
    - net, neigh: Fix null-ptr-deref in neigh_table_clear()
    - ipv6: fix WARNING in ip6_route_net_exit_late()
    - media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE
    - media: cros-ec-cec: limit msg.len to CEC_MAX_MSG_SIZE
    - media: dvb-frontends/drxk: initialize err to 0
    - media: meson: vdec: fix possible refcount leak in vdec_probe()
    - scsi: core: Restrict legal sdev_state transitions via sysfs
    - HID: saitek: add madcatz variant of MMO7 mouse device ID
    - i2c: xiic: Add platform module alias
    - xfs: don't fail verifier on empty attr3 leaf block
    - xfs: use ordered buffers to initialize dquot buffers during quotacheck
    - xfs: gut error handling in xfs_trans_unreserve_and_mod_sb()
    - xfs: group quota should return EDQUOT when prj quota enabled
    - xfs: don't fail unwritten extent conversion on writeback due to edquot
    - xfs: Add the missed xfs_perag_put() for xfs_ifree_cluster()
    - Bluetooth: L2CAP: Fix attempting to access uninitialized memory
    - block, bfq: protect 'bfqd->queued' by 'bfqd->lock'
    - binder: fix UAF of alloc->vma in race with munmap()
    - btrfs: fix type of parameter generation in btrfs_get_dentry
    - tcp/udp: Make early_demux back namespacified.
    - kprobe: reverse kp->flags when arm_kprobe failed
    - tools/nolibc/string: Fix memcmp() implementation
    - tracing/histogram: Update document for KEYS_MAX size
    - capabilities: fix potential memleak on error path from vfs_getxattr_alloc()
    - fuse: add file_modified() to fallocate
    - efi: random: reduce seed size to 32 bytes
    - perf/x86/intel: Fix pebs event constraints for ICL
    - perf/x86/intel: Add Cooper Lake stepping to isolation_ucodes[]
    - ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices
    - parisc: Make 8250_gsc driver dependend on CONFIG_PARISC
    - parisc: Export iosapic_serial_irq() symbol for serial port driver
    - parisc: Avoid printing the hardware path twice
    - ext4: fix warning in 'ext4_da_release_space'
    - ext4: fix BUG_ON() when directory entry has invalid rec_len
    - KVM: x86: Mask off reserved bits in CPUID.8000001AH
    - KVM: x86: Mask off reserved bits in CPUID.80000008H
    - KVM: x86: emulator: em_sysexit should update ctxt->mode
    - KVM: x86: emulator: introduce emulator_recalc_and_set_mode
    - KVM: x86: emulator: update the emulation mode after CR0 write
    - mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times
    - drm/rockchip: dsi: Force synchronous probe
    - drm/i915/sdvo: Filter out invalid outputs more sensibly
    - drm/i915/sdvo: Setup DDC fully before output init
    - wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
    - ipc: remove memcg accounting for sops objects in do_semtimedop()
    - Linux 5.4.224
  * Focal update: v5.4.223 upstream stable release (LP: #1999179)
    - can: j1939: transport: j1939_session_skb_drop_old():
      spin_unlock_irqrestore() before kfree_skb()
    - can: kvaser_usb: Fix possible completions during init_completion
    - ALSA: Use del_timer_sync() before freeing timer
    - ALSA: au88x0: use explicitly signed char
    - USB: add RESET_RESUME quirk for NVIDIA Jetson devices in RCM
    - usb: dwc3: gadget: Stop processing more requests on IMI
    - usb: dwc3: gadget: Don't set IMI for no_interrupt
    - usb: bdc: change state when port disconnected
    - usb: xhci: add XHCI_SPURIOUS_SUCCESS to ASM1042 despite being a V0.96
      controller
    - mtd: rawnand: marvell: Use correct logic for nand-keep-config
    - xhci: Remove device endpoints from bandwidth list when freeing the device
    - tools: iio: iio_utils: fix digit calculation
    - iio: light: tsl2583: Fix module unloading
    - fbdev: smscufx: Fix several use-after-free bugs
    - mac802154: Fix LQI recording
    - drm/msm/dsi: fix memory corruption with too many bridges
    - drm/msm/hdmi: fix memory corruption with too many bridges
    - mmc: core: Fix kernel panic when remove non-standard SDIO card
    - kernfs: fix use-after-free in __kernfs_remove
    - perf auxtrace: Fix address filter symbol name match for modules
    - s390/futex: add missing EX_TABLE entry to __futex_atomic_op()
    - s390/pci: add missing EX_TABLE entries to
      __pcistg_mio_inuser()/__pcilg_mio_inuser()
    - xfs: finish dfops on every insert range shift iteration
    - xfs: clear XFS_DQ_FREEING if we can't lock the dquot buffer to flush
    - xfs: force the log after remapping a synchronous-writes file
    - Xen/gntdev: don't ignore kernel unmapping error
    - xen/gntdev: Prevent leaking grants
    - mm,hugetlb: take hugetlb_lock before decrementing h->resv_huge_pages
    - net: ieee802154: fix error return code in dgram_bind()
    - media: v4l2: Fix v4l2_i2c_subdev_set_name function documentation
    - drm/msm: Fix return type of mdp4_lvds_connector_mode_valid
    - arc: iounmap() arg is volatile
    - ALSA: ac97: fix possible memory leak in snd_ac97_dev_register()
    - tipc: fix a null-ptr-deref in tipc_topsrv_accept
    - net: netsec: fix error handling in netsec_register_mdio()
    - x86/unwind/orc: Fix unreliable stack dump with gcov
    - amd-xgbe: fix the SFP compliance codes check for DAC cables
    - amd-xgbe: add the bit rate quirk for Molex cables
    - kcm: annotate data-races around kcm->rx_psock
    - kcm: annotate data-races around kcm->rx_wait
    - net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed
    - net: lantiq_etop: don't free skb when returning NETDEV_TX_BUSY
    - tcp: fix indefinite deferral of RTO with SACK reneging
    - can: mscan: mpc5xxx: mpc5xxx_can_probe(): add missing put_clock() in error
      path
    - PM: hibernate: Allow hybrid sleep to work with s2idle
    - media: vivid: s_fbuf: add more sanity checks
    - media: vivid: dev->bitmap_cap wasn't freed in all cases
    - media: v4l2-dv-timings: add sanity checks for blanking values
    - media: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check 'interlaced'
    - i40e: Fix ethtool rx-flow-hash setting for X722
    - i40e: Fix VF hang when reset is triggered on another VF
    - i40e: Fix flow-type by setting GL_HASH_INSET registers
    - net: ksz884x: fix missing pci_disable_device() on error in pcidev_init()
    - PM: domains: Fix handling of unavailable/disabled idle states
    - ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev()
    - ALSA: aoa: Fix I2S device accounting
    - openvswitch: switch from WARN to pr_warn
    - net: ehea: fix possible memory leak in ehea_register_port()
    - nh: fix scope used to find saddr when adding non gw nh
    - net/mlx5e: Do not increment ESN when updating IPsec ESN state
    - net/mlx5: Fix possible use-after-free in async command interface
    - net: enetc: survive memory pressure without crashing
    - can: rcar_canfd: rcar_canfd_handle_global_receive(): fix IRQ storm on global
      FIFO receive
    - Linux 5.4.223
  * Focal update: v5.4.222 upstream stable release (LP: #1997994)
    - once: fix section mismatch on clang builds
    - Linux 5.4.222
  * Focal update: v5.4.221 upstream stable release (LP: #1997993)
    - xfs: open code insert range extent split helper
    - xfs: rework insert range into an atomic operation
    - xfs: rework collapse range into an atomic operation
    - xfs: add a function to deal with corrupt buffers post-verifiers
    - xfs: xfs_buf_corruption_error should take __this_address
    - xfs: fix buffer corruption reporting when xfs_dir3_free_header_check fails
    - xfs: check owner of dir3 data blocks
    - xfs: check owner of dir3 blocks
    - xfs: Use scnprintf() for avoiding potential buffer overflow
    - xfs: remove the xfs_disk_dquot_t and xfs_dquot_t
    - xfs: remove the xfs_dq_logitem_t typedef
    - xfs: remove the xfs_qoff_logitem_t typedef
    - xfs: Replace function declaration by actual definition
    - xfs: factor out quotaoff intent AIL removal and memory free
    - xfs: fix unmount hang and memory leak on shutdown during quotaoff
    - xfs: preserve default grace interval during quotacheck
    - xfs: Lower CIL flush limit for large logs
    - xfs: Throttle commits on delayed background CIL push
    - xfs: factor common AIL item deletion code
    - xfs: tail updates only need to occur when LSN changes
    - xfs: don't write a corrupt unmount record to force summary counter recalc
    - xfs: trylock underlying buffer on dquot flush
    - xfs: factor out a new xfs_log_force_inode helper
    - xfs: reflink should force the log out if mounted with wsync
    - xfs: move inode flush to the sync workqueue
    - xfs: fix use-after-free on CIL context on shutdown
    - ocfs2: clear dinode links count in case of error
    - ocfs2: fix BUG when iput after ocfs2_mknod fails
    - x86/microcode/AMD: Apply the patch early on every logical thread
    - hwmon/coretemp: Handle large core ID value
    - ata: ahci-imx: Fix MODULE_ALIAS
    - ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS
    - KVM: arm64: vgic: Fix exit condition in scan_its_table()
    - media: venus: dec: Handle the case where find_format fails
    - [Config] updateconfigs for ARM64_ERRATUM_1742098
    - arm64: errata: Remove AES hwcap for COMPAT tasks
    - r8152: add PID for the Lenovo OneLink+ Dock
    - btrfs: fix processing of delayed data refs during backref walking
    - btrfs: fix processing of delayed tree block refs during backref walking
    - ACPI: extlog: Handle multiple records
    - tipc: Fix recognition of trial period
    - tipc: fix an information leak in tipc_topsrv_kern_subscr
    - HID: magicmouse: Do not set BTN_MOUSE on double report
    - net/atm: fix proc_mpc_write incorrect return value
    - net: phy: dp83867: Extend RX strap quirk for SGMII mode
    - net: sched: cake: fix null pointer access issue when cake_init() fails
    - net: hns: fix possible memory leak in hnae_ae_register()
    - iommu/vt-d: Clean up si_domain in the init_dmars() error path
    - arm64: topology: move store_cpu_topology() to shared code
    - riscv: topology: fix default topology reporting
    - ACPI: video: Force backlight native for more TongFang devices
    - Makefile.debug: re-enable debug info for .S files
    - hv_netvsc: Fix race between VF offering and VF association message from host
    - mm: /proc/pid/smaps_rollup: fix no vma's null-deref
    - Linux 5.4.221
  * Focal update: v5.4.220 upstream stable release (LP: #1996812)
    - ALSA: oss: Fix potential deadlock at unregistration
    - ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free()
    - ALSA: usb-audio: Fix potential memory leaks
    - ALSA: usb-audio: Fix NULL dererence at error path
    - ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530
    - ALSA: hda/realtek: Correct pin configs for ASUS G533Z
    - ALSA: hda/realtek: Add quirk for ASUS GV601R laptop
    - ALSA: hda/realtek: Add Intel Reference SSID to support headset keys
    - mtd: rawnand: atmel: Unmap streaming DMA mappings
    - cifs: destage dirty pages before re-reading them for cache=none
    - cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
    - iio: dac: ad5593r: Fix i2c read protocol requirements
    - iio: pressure: dps310: Refactor startup procedure
    - iio: pressure: dps310: Reset chip after timeout
    - usb: add quirks for Lenovo OneLink+ Dock
    - can: kvaser_usb: Fix use of uninitialized completion
    - can: kvaser_usb_leaf: Fix overread with an invalid command
    - can: kvaser_usb_leaf: Fix TX queue out of sync after restart
    - can: kvaser_usb_leaf: Fix CAN state after restart
    - mmc: sdhci-sprd: Fix minimum clock limit
    - fs: dlm: fix race between test_bit() and queue_work()
    - fs: dlm: handle -EBUSY first in lock arg validation
    - HID: multitouch: Add memory barriers
    - quota: Check next/prev free block number after reading from quota file
    - ASoC: wcd9335: fix order of Slimbus unprepare/disable
    - regulator: qcom_rpm: Fix circular deferral regression
    - RISC-V: Make port I/O string accessors actually work
    - parisc: fbdev/stifb: Align graphics memory size to 4MB
    - riscv: Allow PROT_WRITE-only mmap()
    - riscv: Pass -mno-relax only on lld < 15.0.0
    - UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
    - PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge
    - powerpc/boot: Explicitly disable usage of SPE instructions
    - fbdev: smscufx: Fix use-after-free in ufx_ops_open()
    - btrfs: fix race between quota enable and quota rescan ioctl
    - f2fs: increase the limit for reserve_root
    - f2fs: fix to do sanity check on destination blkaddr during recovery
    - f2fs: fix to do sanity check on summary info
    - nilfs2: fix use-after-free bug of struct nilfs_root
    - jbd2: wake up journal waiters in FIFO order, not LIFO
    - ext4: avoid crash when inline data creation follows DIO write
    - ext4: fix null-ptr-deref in ext4_write_info
    - ext4: make ext4_lazyinit_thread freezable
    - ext4: place buffer head allocation before handle start
    - livepatch: fix race between fork and KLP transition
    - ftrace: Properly unset FTRACE_HASH_FL_MOD
    - ring-buffer: Allow splice to read previous partially read pages
    - ring-buffer: Have the shortest_full queue be the shortest not longest
    - ring-buffer: Check pending waiters when doing wake ups as well
    - ring-buffer: Fix race between reset page and reading page
    - media: cedrus: Set the platform driver data earlier
    - KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility
    - KVM: nVMX: Unconditionally purge queued/injected events on nested "exit"
    - KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS
    - gcov: support GCC 12.1 and newer compilers
    - drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()
    - selinux: use "grep -E" instead of "egrep"
    - tracing: Disable interrupt or preemption before acquiring arch_spinlock_t
    - userfaultfd: open userfaultfds with O_RDONLY
    - sh: machvec: Use char[] for section boundaries
    - ARM: 9247/1: mm: set readonly for MT_MEMORY_RO with ARM_LPAE
    - nfsd: Fix a memory leak in an error handling path
    - wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()
    - wifi: mac80211: allow bw change during channel switch in mesh
    - bpftool: Fix a wrong type cast in btf_dumper_int
    - x86/resctrl: Fix to restore to original value when re-enabling hardware
      prefetch register
    - wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
    - spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume()
    - spi: qup: add missing clk_disable_unprepare on error in
      spi_qup_pm_resume_runtime()
    - wifi: rtl8xxxu: Fix skb misuse in TX queue selection
    - bpf: btf: fix truncated last_member_type_id in btf_struct_resolve
    - wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration
    - net: fs_enet: Fix wrong check in do_pd_setup
    - bpf: Ensure correct locking around vulnerable function find_vpid()
    - x86/microcode/AMD: Track patch allocation size explicitly
    - spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe
    - netfilter: nft_fib: Fix for rpath check with VRF devices
    - spi: s3c64xx: Fix large transfers with DMA
    - vhost/vsock: Use kvmalloc/kvfree for larger packets.
    - sctp: handle the error returned from sctp_auth_asoc_init_active_key
    - tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited
    - net: rds: don't hold sock lock when cancelling work from
      rds_tcp_reset_callbacks()
    - bnx2x: fix potential memory leak in bnx2x_tpa_stop()
    - net/ieee802154: reject zero-sized raw_sendmsg()
    - once: add DO_ONCE_SLOW() for sleepable contexts
    - net: mvpp2: fix mvpp2 debugfs leak
    - drm: bridge: adv7511: fix CEC power down control register offset
    - drm/mipi-dsi: Detach devices when removing the host
    - platform/chrome: fix double-free in chromeos_laptop_prepare()
    - platform/chrome: fix memory corruption in ioctl
    - platform/x86: msi-laptop: Fix old-ec check for backlight registering
    - platform/x86: msi-laptop: Fix resource cleanup
    - drm: fix drm_mipi_dbi build errors
    - drm/bridge: megachips: Fix a null pointer dereference bug
    - ASoC: rsnd: Add check for rsnd_mod_power_on
    - ALSA: hda: beep: Simplify keep-power-at-enable behavior
    - drm/omap: dss: Fix refcount leak bugs
    - mmc: au1xmmc: Fix an error handling path in au1xmmc_probe()
    - ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API
    - drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx
    - ALSA: dmaengine: increment buffer pointer atomically
    - mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe()
    - ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe
    - ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe
    - ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe
    - ALSA: hda/hdmi: Don't skip notification handling during PM operation
    - memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()
    - memory: of: Fix refcount leak bug in of_get_ddr_timings()
    - soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
    - soc: qcom: smem_state: Add refcounting for the 'state->of_node'
    - ARM: dts: turris-omnia: Fix mpp26 pin name and comment
    - ARM: dts: kirkwood: lsxl: fix serial line
    - ARM: dts: kirkwood: lsxl: remove first ethernet port
    - ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family
    - ARM: Drop CMDLINE_* dependency on ATAGS
    - ARM: dts: exynos: fix polarity of VBUS GPIO of Origen
    - iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX
    - iio: adc: at91-sama5d2_adc: check return status for pressure and touch
    - iio: adc: at91-sama5d2_adc: lock around oversampling and sample freq
    - iio: inkern: only release the device node when done with it
    - iio: ABI: Fix wrong format of differential capacitance channel ABI.
    - clk: meson: Hold reference returned by of_get_parent()
    - clk: oxnas: Hold reference returned by of_get_parent()
    - clk: berlin: Add of_node_put() for of_get_parent()
    - clk: tegra: Fix refcount leak in tegra210_clock_init
    - clk: tegra: Fix refcount leak in tegra114_clock_init
    - clk: tegra20: Fix refcount leak in tegra20_clock_init
    - HSI: omap_ssi: Fix refcount leak in ssi_probe
    - HSI: omap_ssi_port: Fix dma_map_sg error check
    - media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop
    - tty: xilinx_uartps: Fix the ignore_status
    - media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init
    - RDMA/rxe: Fix "kernel NULL pointer dereference" error
    - RDMA/rxe: Fix the error caused by qp->sk
    - misc: ocxl: fix possible refcount leak in afu_ioctl()
    - dyndbg: fix module.dyndbg handling
    - dyndbg: let query-modname override actual module name
    - mtd: devices: docg3: check the return value of devm_ioremap() in the probe
    - RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall.
    - ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting()
    - ata: fix ata_id_has_devslp()
    - ata: fix ata_id_has_ncq_autosense()
    - ata: fix ata_id_has_dipm()
    - mtd: rawnand: meson: fix bit map use in meson_nfc_ecc_correct()
    - md/raid5: Ensure stripe_fill happens on non-read IO with journal
    - xhci: Don't show warning for reinit on known broken suspend
    - usb: gadget: function: fix dangling pnp_string in f_printer.c
    - drivers: serial: jsm: fix some leaks in probe
    - tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown
    - phy: qualcomm: call clk_disable_unprepare in the error handling
    - staging: vt6655: fix some erroneous memory clean-up loops
    - firmware: google: Test spinlock on panic path to avoid lockups
    - serial: 8250: Fix restoring termios speed after suspend
    - scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
    - fsi: core: Check error number after calling ida_simple_get
    - mfd: intel_soc_pmic: Fix an error handling path in
      intel_soc_pmic_i2c_probe()
    - mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq()
    - mfd: lp8788: Fix an error handling path in lp8788_probe()
    - mfd: lp8788: Fix an error handling path in lp8788_irq_init() and
      lp8788_irq_init()
    - mfd: fsl-imx25: Fix check for platform_get_irq() errors
    - mfd: sm501: Add check for platform_driver_register()
    - clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent
    - dmaengine: ioat: stop mod_timer from resurrecting deleted timer in
      __cleanup()
    - spmi: pmic-arb: correct duplicate APID to PPID mapping logic
    - clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration
    - clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
    - clk: ast2600: BCLK comes from EPLL
    - mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg
    - powerpc/math_emu/efp: Include module.h
    - powerpc/sysdev/fsl_msi: Add missing of_node_put()
    - powerpc/pci_dn: Add missing of_node_put()
    - powerpc/powernv: add missing of_node_put() in opal_export_attrs()
    - x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition
    - powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5
    - powerpc: Fix SPE Power ISA properties for e500v1 platforms
    - cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset
    - iommu/omap: Fix buffer overflow in debugfs
    - crypto: akcipher - default implementation for setting a private key
    - crypto: ccp - Release dma channels before dmaengine unrgister
    - iommu/iova: Fix module config properly
    - kbuild: remove the target in signal traps when interrupted
    - crypto: cavium - prevent integer overflow loading firmware
    - f2fs: fix race condition on setting FI_NO_EXTENT flag
    - ACPI: video: Add Toshiba Satellite/Portege Z830 quirk
    - MIPS: BCM47XX: Cast memcmp() of function to (void *)
    - powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue
    - thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to
      avoid crash
    - NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data
    - wifi: brcmfmac: fix invalid address access when enabling SCAN log level
    - bpftool: Clear errno after libcap's checks
    - openvswitch: Fix double reporting of drops in dropwatch
    - openvswitch: Fix overreporting of drops in dropwatch
    - tcp: annotate data-race around tcp_md5sig_pool_populated
    - wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
    - xfrm: Update ipcomp_scratches with NULL when freed
    - wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
    - Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
    - Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times
    - can: bcm: check the result of can_send() in bcm_can_tx()
    - wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620
    - wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620
    - wifi: rt2x00: set VGC gain for both chains of MT7620
    - wifi: rt2x00: set SoC wmac clock register
    - wifi: rt2x00: correctly set BBP register 86 for MT7620
    - net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
    - Bluetooth: L2CAP: Fix user-after-free
    - drm/nouveau/nouveau_bo: fix potential memory leak in nouveau_bo_alloc()
    - drm: Use size_t type for len variable in drm_copy_field()
    - drm: Prevent drm_copy_field() to attempt copying a NULL pointer
    - drm/amd/display: fix overflow on MIN_I64 definition
    - drm/vc4: vec: Fix timings for VEC modes
    - drm: panel-orientation-quirks: Add quirk for Anbernic Win600
    - platform/x86: msi-laptop: Change DMI match / alias strings to fix module
      autoloading
    - drm/amdgpu: fix initial connector audio value
    - mmc: sdhci-msm: add compatible string check for sdm670
    - ARM: dts: imx7d-sdb: config the max pressure for tsc2046
    - ARM: dts: imx6q: add missing properties for sram
    - ARM: dts: imx6dl: add missing properties for sram
    - ARM: dts: imx6qp: add missing properties for sram
    - ARM: dts: imx6sl: add missing properties for sram
    - ARM: dts: imx6sll: add missing properties for sram
    - ARM: dts: imx6sx: add missing properties for sram
    - btrfs: scrub: try to fix super block errors
    - clk: zynqmp: Fix stack-out-of-bounds in strncpy`
    - media: cx88: Fix a null-ptr-deref bug in buffer_prepare()
    - clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate
    - scsi: 3w-9xxx: Avoid disabling device if failing to enable it
    - nbd: Fix hung when signal interrupts nbd_start_device_ioctl()
    - power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()
    - staging: vt6655: fix potential memory leak
    - ata: libahci_platform: Sanity check the DT child nodes number
    - bcache: fix set_at_max_writeback_rate() for multiple attached devices
    - HID: roccat: Fix use-after-free in roccat_read()
    - md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d
    - usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()
    - usb: musb: Fix musb_gadget.c rxstate overflow bug
    - Revert "usb: storage: Add quirk for Samsung Fit flash"
    - staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()
    - nvme: copy firmware_rev on each init
    - nvmet-tcp: add bounds check on Transfer Tag
    - usb: idmouse: fix an uninit-value in idmouse_open
    - clk: bcm2835: Make peripheral PLLC critical
    - perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc
    - net: ieee802154: return -EINVAL for unknown addr type
    - Revert "net/ieee802154: reject zero-sized raw_sendmsg()"
    - net/ieee802154: don't warn zero-sized raw_sendmsg()
    - ext4: continue to expand file system when the target size doesn't reach
    - efi: libstub: drop pointless get_memory_map() call
    - inet: fully convert sk->sk_rx_dst to RCU rules
    - thermal: intel_powerclamp: Use first online CPU as control_cpu
    - Linux 5.4.220
  * Focal update: v5.4.219 upstream stable release (LP: #1996804)
    - Linux 5.4.219

[ Ubuntu: 5.4.0-137.154 ]

* focal/linux: 5.4.0-137.154 -proposed tracker (LP: #2001969)
  * CVE-2022-3643
    - xen/netback: Ensure protocol headers don't fall in the non-linear area
  * CVE-2022-43945
    - NFSD: Cap rsize_bop result based on send buffer size
  * CVE-2022-45934
    - Bluetooth: L2CAP: Fix u8 overflow
  * CVE-2022-42896
    - Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
    - Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm

-- Bartlomiej Zolnierkiewicz <bartlomiej.zolnierkiewicz@canonical.com>  Wed, 08 Feb 2023 14:45:46 +0100

Changed in linux-bluefield (Ubuntu Focal):
status:	Fix Committed → Fix Released

Ubuntu
linux-bluefield package

Kernel crash due to Bluefield pka TRNG ioctl call

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
linux-bluefield (Ubuntu)	Invalid	Undecided	Unassigned
Focal	Fix Released	Medium	Shih-Yi Chen
Jammy	Fix Committed	Medium	Shih-Yi Chen

Ubuntulinux-bluefield package

Kernel crash due to Bluefield pka TRNG ioctl call

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux-bluefield package