Ubuntu
linux package

Focal update: v5.4.262 upstream stable release

Bug #2049069 reported by Manuel Diewald on 2024-01-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Focal	Fix Released	Medium	Manuel Diewald

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v5.4.262 upstream stable release
from git://git.kernel.org/

locking/ww_mutex/test: Fix potential workqueue corruption
perf/core: Bail out early if the request AUX area is out of bound
clocksource/drivers/timer-imx-gpt: Fix potential memory leak
clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
wifi: mac80211_hwsim: fix clang-specific fortify warning
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
wifi: ath9k: fix clang-specific fortify warnings
wifi: ath10k: fix clang-specific fortify warning
net: annotate data-races around sk->sk_tx_queue_mapping
net: annotate data-races around sk->sk_dst_pending_confirm
wifi: ath10k: Don't touch the CE interrupt registers after power up
Bluetooth: Fix double free in hci_conn_cleanup
platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
drm/komeda: drop all currently held locks if deadlock happens
drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL
selftests/efivarfs: create-read: fix a resource leak
crypto: pcrypt - Fix hungtask for PADATA_RESET
RDMA/hfi1: Use FIELD_GET() to extract Link Width
fs/jfs: Add check for negative db_l2nbperpage
fs/jfs: Add validity check for db_maxag and db_agpref
jfs: fix array-index-out-of-bounds in dbFindLeaf
jfs: fix array-index-out-of-bounds in diAlloc
ARM: 9320/1: fix stack depot IRQ stack filter
ALSA: hda: Fix possible null-ptr-deref when assigning a stream
PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields
atm: iphase: Do PCI error checks on own line
scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()
HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
tty: vcc: Add check for kstrdup() in vcc_probe()
usb: gadget: f_ncm: Always set current gadget in ncm_bind()
i2c: sun6i-p2wi: Prevent potential division by zero
media: gspca: cpia1: shift-out-of-bounds in set_flicker
media: vivid: avoid integer overflow
gfs2: ignore negated quota changes
media: cobalt: Use FIELD_GET() to extract Link Width
drm/amd/display: Avoid NULL dereference of timing generator
kgdb: Flush console before entering kgdb on panic
ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings
pwm: Fix double shift bug
wifi: iwlwifi: Use FW rate for non-data frames
NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
ipvlan: add ipvlan_route_v6_outbound() helper
tty: Fix uninit-value access in ppp_sync_receive()
net: hns3: fix variable may not initialized problem in hns3_init_mac_addr()
tipc: Fix kernel-infoleak due to uninitialized TLV value
ppp: limit MRU to 64K
xen/events: fix delayed eoi list handling
ptp: annotate data-race around q->head and q->tail
bonding: stop the device in bond_setup_by_slave()
net: ethernet: cortina: Fix max RX frame define
net: ethernet: cortina: Handle large frames
net: ethernet: cortina: Fix MTU max setting
netfilter: nf_conntrack_bridge: initialize err to 0
net: stmmac: Rework stmmac_rx()
net: stmmac: fix rx budget limit check
net/mlx5_core: Clean driver version and name
net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors
macvlan: Don't propagate promisc change to lower dev in passthru
tools/power/turbostat: Fix a knl bug
cifs: spnego: add ';' in HOST_KEY_LEN
media: venus: hfi: add checks to perform sanity on queue pointers
randstruct: Fix gcc-plugin performance mode to stay in group
bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers
x86/cpu/hygon: Fix the CPU topology evaluation for real
KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space
KVM: x86: Ignore MSR_AMD64_TW_CFG access
audit: don't take task_lock() in audit_exe_compare() code path
audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
hvc/xen: fix error path in xen_hvc_init() to always register frontend driver
PCI/sysfs: Protect driver's D3cold preference from user space
ACPI: resource: Do IRQ override on TongFang GMxXGxx
mmc: meson-gx: Remove setting of CMD_CFG_ERROR
genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
PCI: keystone: Don't discard .remove() callback
PCI: keystone: Don't discard .probe() callback
parisc/pdc: Add width field to struct pdc_model
clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
mmc: vub300: fix an error code
PM: hibernate: Use __get_safe_page() rather than touching the list
PM: hibernate: Clean up sync_read handling in snapshot_write_next()
btrfs: don't arbitrarily slow down delalloc if we're committing
jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev
quota: explicitly forbid quota files from being encrypted
kernel/reboot: emergency_restart: Set correct system_state
i2c: core: Run atomic i2c xfer when !preemptible
mcb: fix error handling for different scenarios when parsing
dmaengine: stm32-mdma: correct desc prep when channel running
mm/cma: use nth_page() in place of direct struct page manipulation
i3c: master: cdns: Fix reading status register
parisc: Prevent booting 64-bit kernels on PA1.x machines
parisc/pgtable: Do not drop upper 5 address bits of physical address
ALSA: info: Fix potential deadlock at disconnection
ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
serial: meson: remove redundant initialization of variable id
tty: serial: meson: retrieve port FIFO size from DT
serial: meson: Use platform_get_irq() to get the interrupt
tty: serial: meson: fix hard LOCKUP on crtscts mode
Bluetooth: btusb: add Realtek 8822CE to usb_device_id table
Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559
bluetooth: Add device 0bda:887b to device tables
bluetooth: Add device 13d3:3571 to device tables
Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables
Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE
Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
net: dsa: lan9303: consequently nested-lock physical MDIO
i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
media: lirc: drop trailing space from scancode transmit
media: sharp: fix sharp encoding
media: venus: hfi_parser: Add check to keep the number of codecs within range
media: venus: hfi: fix the check to handle session buffer requirement
media: venus: hfi: add checks to handle capabilities from firmware
nfsd: fix file memleak on client_opens_release
ext4: apply umask if ACL support is disabled
ext4: correct offset of gdb backup in non meta_bg group to update_backups
ext4: correct return value of ext4_convert_meta_bg
ext4: correct the start block of counting reserved clusters
ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
drm/amdgpu: fix error handling in amdgpu_bo_list_get()
tracing: Have trace_event_file have ref counters
netfilter: nf_tables: pass context to nft_set_destroy()
netfilter: nftables: rename set element data activation/deactivation functions
netfilter: nf_tables: drop map element references from preparation phase
netfilter: nft_set_rbtree: Switch to node list walk for overlap detection
netfilter: nft_set_rbtree: fix null deref on element insertion
netfilter: nft_set_rbtree: fix overlap expiration walk
netfilter: nf_tables: don't skip expired elements during walk
netfilter: nf_tables: GC transaction API to avoid race with control plane
netfilter: nf_tables: adapt set backend to use GC transaction API
netfilter: nft_set_hash: mark set element as dead when deleting from packet path
netfilter: nf_tables: remove busy mark and gc batch API
netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
netfilter: nf_tables: GC transaction race with netns dismantle
netfilter: nf_tables: GC transaction race with abort path
netfilter: nf_tables: use correct lock to protect gc_list
netfilter: nf_tables: defer gc run if previous batch is still pending
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention
netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration
netfilter: nf_tables: fix memleak when more than 255 elements expired
netfilter: nf_tables: unregister flowtable hooks on netns exit
netfilter: nf_tables: double hook unregistration in netns path
netfilter: nftables: update table flags from the commit phase
netfilter: nf_tables: fix table flag updates
netfilter: nf_tables: disable toggling dormant table state more than once
netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 5.4)
Linux 5.4.262
UBUNTU: Upstream stable to v5.4.262

See original description

Tags:

CVE References

Manuel Diewald (diewald) on 2024-01-11

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug
Changed in linux (Ubuntu):
status:	Confirmed → Invalid
Changed in linux (Ubuntu Focal):
assignee:	nobody → Manuel Diewald (diewald)
importance:	Undecided → Medium
status:	New → In Progress
description:	updated

Roxana Nicolescu (roxanan) on 2024-01-12

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-03-06:

Download full text (34.0 KiB)

This bug was fixed in the package linux - 5.4.0-173.191

---------------
linux (5.4.0-173.191) focal; urgency=medium

* focal/linux: 5.4.0-173.191 -proposed tracker (LP: #2052135)

* Packaging resync (LP: #1786013)
- debian/dkms-versions -- update from kernel-versions (main/2024.02.05)

* CVE-2023-0340
- vhost: use kzalloc() instead of kmalloc() followed by memset()

* CVE-2023-6915
- ida: Fix crash in ida_free when the bitmap is empty

  * Focal update: v5.4.265 upstream stable release (LP: #2051644)
    - afs: Fix refcount underflow from error handling race
    - net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX
    - qca_debug: Prevent crash on TX ring changes
    - qca_debug: Fix ethtool -G iface tx behavior
    - qca_spi: Fix reset behavior
    - atm: solos-pci: Fix potential deadlock on &cli_queue_lock
    - atm: solos-pci: Fix potential deadlock on &tx_queue_lock
    - atm: Fix Use-After-Free in do_vcc_ioctl
    - qed: Fix a potential use-after-free in qed_cxt_tables_alloc
    - net: Remove acked SYN flag from packet in the transmit queue correctly
    - sign-file: Fix incorrect return values check
    - vsock/virtio: Fix unsigned integer wrap around in
      virtio_transport_has_space()
    - net: stmmac: use dev_err_probe() for reporting mdio bus registration failure
    - net: stmmac: Handle disabled MDIO busses from devicetree
    - cred: switch to using atomic_long_t
    - ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants
    - usb: aqc111: check packet for fixup for true limit
    - blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock
      required!"
    - bcache: avoid oversize memory allocation by small stripe_size
    - bcache: add code comments for bch_btree_node_get() and
      __bch_btree_node_alloc()
    - bcache: avoid NULL checking to c->root in run_cache_set()
    - platform/x86: intel_telemetry: Fix kernel doc descriptions
    - HID: add ALWAYS_POLL quirk for Apple kb
    - HID: hid-asus: reset the backlight brightness level on resume
    - HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
    - asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation
    - net: usb: qmi_wwan: claim interface 4 for ZTE MF290
    - HID: hid-asus: add const to read-only outgoing usb buffer
    - soundwire: stream: fix NULL pointer dereference for multi_link
    - ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
    - arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify
    - team: Fix use-after-free when an option instance allocation fails
    - ring-buffer: Fix memory leak of free page
    - mmc: block: Be sure to wait while busy in CQE error recovery
    - powerpc/ftrace: Create a dummy stackframe to fix stack unwind
    - powerpc/ftrace: Fix stack teardown in ftrace_no_trace
    - Linux 5.4.265

This bug was fixed in the package linux - 5.4.0-173.191

---------------
linux (5.4.0-173.191) focal; urgency=medium

* focal/linux: 5.4.0-173.191 -proposed tracker (LP: #2052135)

* Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2024.02.05)

* CVE-2023-0340
    - vhost: use kzalloc() instead of kmalloc() followed by memset()

* CVE-2023-6915
    - ida: Fix crash in ida_free when the bitmap is empty

* Focal update: v5.4.264 upstream stable release (LP: #2049935)
    - hrtimers: Push pending hrtimers away from outgoing CPU earlier
    - netfilter: ipset: fix race condition between swap/destroy and kernel side
      add/del/test
    - tg3: Move the [rt]x_dropped counters to tg3_napi
    - tg3: Increment tx_dropped in tg3_tso_bug()
    - kconfig: fix memory leak from range properties
    - drm/amdgpu: correct chunk_ptr to a pointer to chunk.
    - of: base: Add of_get_cpu_state_node() to get idle states for a CPU node
    - ACPI/IORT: Make iort_get_device_domain IRQ domain agnostic
    - ACPI/IORT: Make iort_msi_map_rid() PCI agnostic
    - of/iommu: Make of_map_rid() PCI agnostic
    - of/irq: make of_msi_map_get_device_domain() bus agnostic
    - of/irq: Make of_msi_map_rid() PCI bus agnostic
    - of: base: Fix some formatting issues and provide missing descriptions
    - of: Fix kerneldoc output formatting
    - of: Add missing 'Return' section in kerneldoc comments
    - of: dynamic: Fix of_reconfig_get_state_change() return value documentation
    - ipv6: fix potential NULL deref in fib6_add()
    - hv_netvsc: rndis_filter needs to select NLS
    - net: arcnet: Fix RESET flag handling
    - net: arcnet: com20020 fix error handling
    - arcnet: restoring support for multiple Sohard Arcnet cards
    - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
    - net: hns: fix fake link up on xge port
    - netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
    - tcp: do not accept ACK of bytes we never sent
    - bpf: sockmap, updating the sg structure should also update curr
    - RDMA/bnxt_re: Correct module description string
    - hwmon: (acpi_power_meter) Fix 4.29 MW bug
    - ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
    - tracing: Fix a warning when allocating buffered events fails
    - scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
    - ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
    - ARM: dts: imx: make gpt node name generic
    - ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt
    - ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
    - nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
    - tracing: Always update snapshot buffer size
    - tracing: Fix incomplete locking when disabling buffered events
    - tracing: Fix a possible race when disabling buffered events
    - packet: Move reference count in packet_sock to atomic_long_t
    - arm64: dts: mediatek: mt7622: fix memory node warning check
    - arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names
    - gpiolib: sysfs: Fix error handling on failed export
    - mmc: core: add helpers mmc_regulator_enable/disable_vqmmc
    - mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled
    - usb: gadget: f_hid: fix report descriptor allocation
    - parport: Add support for Brainboxes IX/UC/PX parallel cards
    - usb: typec: class: fix typec_altmode_put_partner to put plugs
    - ARM: PL011: Fix DMA support
    - serial: sc16is7xx: address RX timeout interrupt errata
    - serial: 8250_omap: Add earlycon support for the AM654 UART controller
    - x86/CPU/AMD: Check vendor in the AMD microcode callback
    - KVM: s390/mm: Properly reset no-dat
    - nilfs2: fix missing error check for sb_set_blocksize call
    - io_uring/af_unix: disable sending io_uring over sockets
    - netlink: don't call ->netlink_bind with table lock held
    - genetlink: add CAP_NET_ADMIN test for multicast bind
    - psample: Require 'CAP_NET_ADMIN' when joining "packets" group
    - drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
    - tools headers UAPI: Sync linux/perf_event.h with the kernel sources
    - cifs: Fix non-availability of dedup breaking generic/304
    - smb: client: fix potential NULL deref in parse_dfs_referrals()
    - devcoredump : Serialize devcd_del work
    - devcoredump: Send uevent once devcd is ready
    - Linux 5.4.264

* CVE-2024-0646
    - net: tls, update curr on splice as well

* CVE-2024-0565
    - smb: client: fix OOB in receive_encrypted_standard()

* CVE-2023-51781
    - appletalk: Fix Use-After-Free in atalk_ioctl

* CVE-2023-51782
    - net/rose: Fix Use-After-Free in rose_ioctl

* Focal update: v5.4.263 upstream stable release (LP: #2049084)
    - driver core: Release all resources during unbind before updating device
      links
    - RDMA/irdma: Prevent zero-length STAG registration
    - PCI: keystone: Drop __init from ks_pcie_add_pcie_{ep,port}()
    - afs: Make error on cell lookup failure consistent with OpenAFS
    - drm/panel: simple: Fix Innolux G101ICE-L01 bus flags
    - drm/panel: simple: Fix Innolux G101ICE-L01 timings
    - ata: pata_isapnp: Add missing error check for devm_ioport_map()
    - drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full
    - HID: core: store the unique system identifier in hid_device
    - HID: fix HID device resource race between HID core and debugging support
    - ipv4: Correct/silence an endian warning in __ip_do_redirect
    - net: usb: ax88179_178a: fix failed operations during ax88179_reset
    - arm/xen: fix xen_vcpu_info allocation alignment
    - amd-xgbe: handle corner-case during sfp hotplug
    - amd-xgbe: handle the corner-case during tx completion
    - amd-xgbe: propagate the correct speed and duplex status
    - net: axienet: Fix check for partial TX checksum
    - afs: Return ENOENT if no cell DNS record can be found
    - afs: Fix file locking on R/O volumes to operate in local mode
    - nvmet: remove unnecessary ctrl parameter
    - nvmet: nul-terminate the NQNs passed in the connect command
    - MIPS: KVM: Fix a build warning about variable set but not used
    - ext4: add a new helper to check if es must be kept
    - ext4: factor out __es_alloc_extent() and __es_free_extent()
    - ext4: use pre-allocated es in __es_insert_extent()
    - ext4: use pre-allocated es in __es_remove_extent()
    - ext4: using nofail preallocation in ext4_es_remove_extent()
    - ext4: using nofail preallocation in ext4_es_insert_delayed_block()
    - ext4: using nofail preallocation in ext4_es_insert_extent()
    - ext4: fix slab-use-after-free in ext4_es_insert_extent()
    - ext4: make sure allocate pending entry not fail
    - arm64: cpufeature: Extract capped perfmon fields
    - KVM: arm64: limit PMU version to PMUv3 for ARMv8.1
    - ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA
    - bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in
      btree_gc_coalesce()
    - s390/dasd: protect device queue against concurrent access
    - USB: serial: option: add Luat Air72*U series products
    - hv_netvsc: Fix race of register_netdevice_notifier and VF register
    - hv_netvsc: Mark VF as slave before exposing it to user-mode
    - dm-delay: fix a race between delay_presuspend and delay_bio
    - bcache: check return value from btree_node_alloc_replacement()
    - bcache: prevent potential division by zero error
    - USB: serial: option: add Fibocom L7xx modules
    - USB: serial: option: fix FM101R-GL defines
    - USB: serial: option: don't claim interface 4 for ZTE MF290
    - USB: dwc2: write HCINT with INTMASK applied
    - usb: dwc3: set the dma max_seg_size
    - USB: dwc3: qcom: fix resource leaks on probe deferral
    - USB: dwc3: qcom: fix wakeup after probe deferral
    - io_uring: fix off-by one bvec index
    - pinctrl: avoid reload of p state in list iteration
    - firewire: core: fix possible memory leak in create_units()
    - mmc: block: Do not lose cache flush during CQE error recovery
    - ALSA: hda: Disable power-save on KONTRON SinglePC
    - ALSA: hda/realtek: Headset Mic VREF to 100%
    - ALSA: hda/realtek: Add supported ALC257 for ChromeOS
    - dm-verity: align struct dm_verity_fec_io properly
    - dm verity: don't perform FEC for failed readahead IO
    - bcache: revert replacing IS_ERR_OR_NULL with IS_ERR
    - powerpc: Don't clobber f0/vs0 during fp|altivec register save
    - btrfs: fix off-by-one when checking chunk map includes logical address
    - btrfs: send: ensure send_fd is writable
    - btrfs: make error messages more clear when getting a chunk map
    - Input: xpad - add HyperX Clutch Gladiate Support
    - net: stmmac: xgmac: Disable FPE MMC interrupts
    - ravb: Fix races between ravb_tx_timeout_work() and net related ops
    - net: ravb: Use pm_runtime_resume_and_get()
    - net: ravb: Start TX queues after HW initialization succeeded
    - smb3: fix touch -h of symlink
    - s390/mm: fix phys vs virt confusion in mark_kernel_pXd() functions family
    - s390/cmma: fix detection of DAT pages
    - mtd: cfi_cmdset_0001: Support the absence of protection registers
    - mtd: cfi_cmdset_0001: Byte swap OTP info
    - fbdev: stifb: Make the STI next font pointer a 32-bit signed offset
    - ima: annotate iint mutex to avoid lockdep false positive warnings
    - ovl: skip overlayfs superblocks at global sync
    - ima: detect changes to the backing overlay file
    - scsi: qla2xxx: Simplify the code for aborting SCSI commands
    - scsi: core: Introduce the scsi_cmd_to_rq() function
    - scsi: qla2xxx: Use scsi_cmd_to_rq() instead of scsi_cmnd.request
    - scsi: qla2xxx: Fix system crash due to bad pointer access
    - cpufreq: imx6q: don't warn for disabling a non-existing frequency
    - cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily
    - mmc: cqhci: Increase recovery halt timeout
    - mmc: cqhci: Warn of halt or task clear failure
    - mmc: cqhci: Fix task clearing in CQE error recovery
    - mmc: core: convert comma to semicolon
    - mmc: block: Retry commands in CQE error recovery
    - Linux 5.4.263

* Focal update: v5.4.262 upstream stable release (LP: #2049069)
    - locking/ww_mutex/test: Fix potential workqueue corruption
    - perf/core: Bail out early if the request AUX area is out of bound
    - clocksource/drivers/timer-imx-gpt: Fix potential memory leak
    - clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
    - x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
    - wifi: mac80211_hwsim: fix clang-specific fortify warning
    - wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
    - wifi: ath9k: fix clang-specific fortify warnings
    - wifi: ath10k: fix clang-specific fortify warning
    - net: annotate data-races around sk->sk_tx_queue_mapping
    - net: annotate data-races around sk->sk_dst_pending_confirm
    - wifi: ath10k: Don't touch the CE interrupt registers after power up
    - Bluetooth: Fix double free in hci_conn_cleanup
    - platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
    - drm/komeda: drop all currently held locks if deadlock happens
    - drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
    - drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
    - drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL
    - selftests/efivarfs: create-read: fix a resource leak
    - crypto: pcrypt - Fix hungtask for PADATA_RESET
    - RDMA/hfi1: Use FIELD_GET() to extract Link Width
    - fs/jfs: Add check for negative db_l2nbperpage
    - fs/jfs: Add validity check for db_maxag and db_agpref
    - jfs: fix array-index-out-of-bounds in dbFindLeaf
    - jfs: fix array-index-out-of-bounds in diAlloc
    - ARM: 9320/1: fix stack depot IRQ stack filter
    - ALSA: hda: Fix possible null-ptr-deref when assigning a stream
    - PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields
    - atm: iphase: Do PCI error checks on own line
    - scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup()
    - HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
    - tty: vcc: Add check for kstrdup() in vcc_probe()
    - usb: gadget: f_ncm: Always set current gadget in ncm_bind()
    - i2c: sun6i-p2wi: Prevent potential division by zero
    - media: gspca: cpia1: shift-out-of-bounds in set_flicker
    - media: vivid: avoid integer overflow
    - gfs2: ignore negated quota changes
    - media: cobalt: Use FIELD_GET() to extract Link Width
    - drm/amd/display: Avoid NULL dereference of timing generator
    - kgdb: Flush console before entering kgdb on panic
    - ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings
    - pwm: Fix double shift bug
    - wifi: iwlwifi: Use FW rate for non-data frames
    - NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
    - ipvlan: add ipvlan_route_v6_outbound() helper
    - tty: Fix uninit-value access in ppp_sync_receive()
    - net: hns3: fix variable may not initialized problem in hns3_init_mac_addr()
    - tipc: Fix kernel-infoleak due to uninitialized TLV value
    - ppp: limit MRU to 64K
    - xen/events: fix delayed eoi list handling
    - ptp: annotate data-race around q->head and q->tail
    - bonding: stop the device in bond_setup_by_slave()
    - net: ethernet: cortina: Fix max RX frame define
    - net: ethernet: cortina: Handle large frames
    - net: ethernet: cortina: Fix MTU max setting
    - netfilter: nf_conntrack_bridge: initialize err to 0
    - net: stmmac: Rework stmmac_rx()
    - net: stmmac: fix rx budget limit check
    - net/mlx5_core: Clean driver version and name
    - net/mlx5e: Check return value of snprintf writing to fw_version buffer for
      representors
    - macvlan: Don't propagate promisc change to lower dev in passthru
    - tools/power/turbostat: Fix a knl bug
    - cifs: spnego: add ';' in HOST_KEY_LEN
    - media: venus: hfi: add checks to perform sanity on queue pointers
    - randstruct: Fix gcc-plugin performance mode to stay in group
    - bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END
    - scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for
      selected registers
    - x86/cpu/hygon: Fix the CPU topology evaluation for real
    - KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space
    - KVM: x86: Ignore MSR_AMD64_TW_CFG access
    - audit: don't take task_lock() in audit_exe_compare() code path
    - audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare()
    - hvc/xen: fix error path in xen_hvc_init() to always register frontend driver
    - PCI/sysfs: Protect driver's D3cold preference from user space
    - ACPI: resource: Do IRQ override on TongFang GMxXGxx
    - mmc: meson-gx: Remove setting of CMD_CFG_ERROR
    - genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
    - PCI: keystone: Don't discard .remove() callback
    - PCI: keystone: Don't discard .probe() callback
    - parisc/pdc: Add width field to struct pdc_model
    - clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks
    - mmc: vub300: fix an error code
    - PM: hibernate: Use __get_safe_page() rather than touching the list
    - PM: hibernate: Clean up sync_read handling in snapshot_write_next()
    - btrfs: don't arbitrarily slow down delalloc if we're committing
    - jbd2: fix potential data lost in recovering journal raced with synchronizing
      fs bdev
    - quota: explicitly forbid quota files from being encrypted
    - kernel/reboot: emergency_restart: Set correct system_state
    - i2c: core: Run atomic i2c xfer when !preemptible
    - mcb: fix error handling for different scenarios when parsing
    - dmaengine: stm32-mdma: correct desc prep when channel running
    - mm/cma: use nth_page() in place of direct struct page manipulation
    - i3c: master: cdns: Fix reading status register
    - parisc: Prevent booting 64-bit kernels on PA1.x machines
    - parisc/pgtable: Do not drop upper 5 address bits of physical address
    - ALSA: info: Fix potential deadlock at disconnection
    - ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC
    - serial: meson: remove redundant initialization of variable id
    - tty: serial: meson: retrieve port FIFO size from DT
    - serial: meson: Use platform_get_irq() to get the interrupt
    - tty: serial: meson: fix hard LOCKUP on crtscts mode
    - Bluetooth: btusb: add Realtek 8822CE to usb_device_id table
    - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559
    - bluetooth: Add device 0bda:887b to device tables
    - bluetooth: Add device 13d3:3571 to device tables
    - Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables
    - Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE
    - Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
    - net: dsa: lan9303: consequently nested-lock physical MDIO
    - i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
    - media: lirc: drop trailing space from scancode transmit
    - media: sharp: fix sharp encoding
    - media: venus: hfi_parser: Add check to keep the number of codecs within
      range
    - media: venus: hfi: fix the check to handle session buffer requirement
    - media: venus: hfi: add checks to handle capabilities from firmware
    - nfsd: fix file memleak on client_opens_release
    - ext4: apply umask if ACL support is disabled
    - ext4: correct offset of gdb backup in non meta_bg group to update_backups
    - ext4: correct return value of ext4_convert_meta_bg
    - ext4: correct the start block of counting reserved clusters
    - ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
    - drm/amdgpu: fix error handling in amdgpu_bo_list_get()
    - tracing: Have trace_event_file have ref counters
    - netfilter: nf_tables: pass context to nft_set_destroy()
    - netfilter: nftables: rename set element data activation/deactivation
      functions
    - netfilter: nf_tables: drop map element references from preparation phase
    - netfilter: nft_set_rbtree: Switch to node list walk for overlap detection
    - netfilter: nft_set_rbtree: fix null deref on element insertion
    - netfilter: nft_set_rbtree: fix overlap expiration walk
    - netfilter: nf_tables: don't skip expired elements during walk
    - netfilter: nf_tables: GC transaction API to avoid race with control plane
    - netfilter: nf_tables: adapt set backend to use GC transaction API
    - netfilter: nft_set_hash: mark set element as dead when deleting from packet
      path
    - netfilter: nf_tables: remove busy mark and gc batch API
    - netfilter: nf_tables: fix GC transaction races with netns and netlink event
      exit path
    - netfilter: nf_tables: GC transaction race with netns dismantle
    - netfilter: nf_tables: GC transaction race with abort path
    - netfilter: nf_tables: use correct lock to protect gc_list
    - netfilter: nf_tables: defer gc run if previous batch is still pending
    - netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
    - netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention
    - netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration
    - netfilter: nf_tables: fix memleak when more than 255 elements expired
    - netfilter: nf_tables: unregister flowtable hooks on netns exit
    - netfilter: nf_tables: double hook unregistration in netns path
    - netfilter: nftables: update table flags from the commit phase
    - netfilter: nf_tables: fix table flag updates
    - netfilter: nf_tables: disable toggling dormant table state more than once
    - netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for
      5.4)
    - Linux 5.4.262

* Focal update: v5.4.261 upstream stable release (LP: #2049049)
    - vfs: fix readahead(2) on block devices
    - genirq/matrix: Exclude managed interrupts in irq_matrix_allocated()
    - i40e: fix potential memory leaks in i40e_remove()
    - tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
    - wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file()
    - wifi: mt76: mt7603: rework/fix rx pse hang check
    - tcp_metrics: add missing barriers on delete
    - tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
    - tcp_metrics: do not create an entry from tcp_init_metrics()
    - wifi: rtlwifi: fix EDCA limit set by BT coexistence
    - can: dev: can_restart(): don't crash kernel if carrier is OK
    - can: dev: can_restart(): fix race condition between controller restart and
      netif_carrier_on()
    - thermal: core: prevent potential string overflow
    - r8169: use tp_to_dev instead of open code
    - r8169: fix rare issue with broken rx after link-down on RTL8125
    - chtls: fix tp->rcv_tstamp initialization
    - tcp: Remove one extra ktime_get_ns() from cookie_init_timestamp
    - tcp: fix cookie_init_timestamp() overflows
    - ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias()
    - ipv6: avoid atomic fragment on GSO packets
    - net: add DEV_STATS_READ() helper
    - ipvlan: properly track tx_errors
    - regmap: debugfs: Fix a erroneous check after snprintf()
    - clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies
    - clk: qcom: gcc-sm8150: use ARRAY_SIZE instead of specifying num_parents
    - clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src
    - clk: imx: Select MXC_CLK for CLK_IMX8QXP
    - clk: keystone: pll: fix a couple NULL vs IS_ERR() checks
    - clk: npcm7xx: Fix incorrect kfree
    - clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data
    - clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
    - clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data
    - clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data
    - clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
    - platform/x86: wmi: Fix probe failure when failing to register WMI devices
    - platform/x86: wmi: remove unnecessary initializations
    - platform/x86: wmi: Fix opening of char device
    - hwmon: (coretemp) Fix potentially truncated sysfs attribute name
    - drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs
    - drm/rockchip: vop: Fix call to crtc reset helper
    - drm/radeon: possible buffer overflow
    - drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe()
    - arm64: dts: qcom: sdm845-mtp: fix WiFi configuration
    - ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator
    - soc: qcom: llcc cleanup to get rid of sdm845 specific driver file
    - [Config] remove CONFIG_QCOM_SDM845_LLCC
    - soc: qcom: Rename llcc-slice to llcc-qcom
    - [Config] remove llcc-slice module
    - soc: qcom: llcc: Handle a second device without data corruption
    - firmware: ti_sci: Replace HTTP links with HTTPS ones
    - firmware: ti_sci: Mark driver as non removable
    - clk: scmi: Free scmi_clk allocated when the clocks with invalid info are
      skipped
    - hwrng: geode - fix accessing registers
    - libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return
      value
    - sched/rt: Provide migrate_disable/enable() inlines
    - nd_btt: Make BTT lanes preemptible
    - crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure
    - crypto: caam/jr - fix Chacha20 + Poly1305 self test failure
    - HID: cp2112: Use irqchip template
    - hid: cp2112: Fix duplicate workqueue initialization
    - ARM: 9321/1: memset: cast the constant byte to unsigned char
    - ext4: move 'ix' sanity check to corrent position
    - scsi: ufs: core: Leave space for '\0' in utf8 desc string
    - RDMA/hfi1: Workaround truncation compilation error
    - sh: bios: Revive earlyprintk support
    - ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails
    - ASoC: ams-delta.c: use component after check
    - mfd: dln2: Fix double put in dln2_probe
    - leds: pwm: simplify if condition
    - leds: pwm: convert to atomic PWM API
    - leds: pwm: Don't disable the PWM when the LED should be off
    - ledtrig-cpu: Limit to 8 CPUs
    - leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu'
    - tty: tty_jobctrl: fix pid memleak in disassociate_ctty()
    - usb: dwc2: fix possible NULL pointer dereference caused by driver
      concurrency
    - dmaengine: ti: edma: handle irq_of_parse_and_map() errors
    - misc: st_core: Do not call kfree_skb() under spin_lock_irqsave()
    - tools: iio: privatize globals and functions in iio_generic_buffer.c file
    - tools: iio: iio_generic_buffer: Fix some integer type and calculation
    - tools: iio: iio_generic_buffer ensure alignment
    - USB: usbip: fix stub_dev hub disconnect
    - dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc()
    - f2fs: fix to initialize map.m_pblk in f2fs_precache_extents()
    - modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host
    - powerpc/xive: Fix endian conversion size
    - powerpc/imc-pmu: Use the correct spinlock initializer.
    - powerpc/pseries: fix potential memory leak in init_cpu_associativity()
    - i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs
    - rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call
    - pcmcia: cs: fix possible hung task and memory leak pccardd()
    - pcmcia: ds: fix refcount leak in pcmcia_device_add()
    - pcmcia: ds: fix possible name leak in error path in pcmcia_device_add()
    - media: bttv: fix use after free error due to btv->timeout timer
    - media: s3c-camif: Avoid inappropriate kfree()
    - media: dvb-usb-v2: af9035: fix missing unlock
    - regmap: prevent noinc writes from clobbering cache
    - pwm: sti: Avoid conditional gotos
    - pwm: sti: Reduce number of allocations and drop usage of chip_data
    - pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume
    - Input: synaptics-rmi4 - fix use after free in rmi_unregister_function()
    - llc: verify mac len before reading mac header
    - tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
    - inet: shrink struct flowi_common
    - dccp: Call security_inet_conn_request() after setting IPv4 addresses.
    - dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
    - Fix termination state for idr_for_each_entry_ul()
    - net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs
    - net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
    - tg3: power down device only on SYSTEM_POWER_OFF
    - r8169: respect userspace disabling IFF_MULTICAST
    - netfilter: xt_recent: fix (increase) ipv6 literal buffer length
    - netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate
      eval call-backs
    - netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
    - drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE
    - spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies
    - fbdev: imsttfb: Fix error path of imsttfb_probe()
    - fbdev: imsttfb: fix a resource leak in probe
    - fbdev: fsl-diu-fb: mark wr_reg_wa() static
    - Revert "mmc: core: Capture correct oemid-bits for eMMC cards"
    - btrfs: use u64 for buffer sizes in the tree search ioctls
    - Linux 5.4.261

* Focal update: v5.4.260 upstream stable release (LP: #2049024)
    - mtd: rawnand: marvell: Ensure program page operations are successful
    - selftests/ftrace: Add new test case which checks non unique symbol
    - mcb: Return actual parsed size when reading chameleon table
    - mcb-lpc: Reallocate memory region to avoid memory overlapping
    - virtio_balloon: Fix endless deflation and inflation on arm64
    - virtio-mmio: fix memory leak of vm_dev
    - r8169: fix the KCSAN reported data-race in rtl_tx while reading
      TxDescArray[entry].opts1
    - r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1
    - treewide: Spelling fix in comment
    - igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
    - neighbour: fix various data-races
    - igc: Fix ambiguity in the ethtool advertising
    - net: ieee802154: adf7242: Fix some potential buffer overflow in
      adf7242_stats_show()
    - r8152: Increase USB control msg timeout to 5000ms as per spec
    - r8152: Run the unload routine if we have errors during probe
    - r8152: Cancel hw_phy_work if we have an error in probe
    - tcp: fix wrong RTO timeout when received SACK reneging
    - gtp: uapi: fix GTPA_MAX
    - gtp: fix fragmentation needed check with gso
    - iio: exynos-adc: request second interupt only when touchscreen mode is used
    - i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node()
    - i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node()
    - i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node()
    - i2c: stm32f7: Fix PEC handling in case of SMBUS transfers
    - i2c: aspeed: Fix i2c bus hang in slave read
    - nvmem: imx: correct nregs for i.MX6ULL
    - nvmem: imx: correct nregs for i.MX6SLL
    - nvmem: imx: correct nregs for i.MX6UL
    - perf/core: Fix potential NULL deref
    - clk: Sanitize possible_parent_show to Handle Return Value of
      of_clk_get_parent_name
    - i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
    - x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility
    - drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper()
    - arm64: fix a concurrency issue in emulation_proc_handler()
    - smbdirect: missing rc checks while waiting for rdma events
    - f2fs: fix to do sanity check on inode type during garbage collection
    - nfsd: lock_rename() needs both directories to live on the same fs
    - x86/mm: Simplify RESERVE_BRK()
    - x86/mm: Fix RESERVE_BRK() for older binutils
    - ext4: add two helper functions extent_logical_end() and pa_logical_end()
    - ext4: avoid overlapping preallocations due to overflow
    - ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow
    - driver: platform: Add helper for safer setting of driver_override
    - rpmsg: Constify local variable in field store macro
    - rpmsg: Fix kfree() of static memory on setting driver_override
    - rpmsg: Fix calling device_lock() on non-initialized device
    - rpmsg: glink: Release driver_override
    - rpmsg: Fix possible refcount leak in rpmsg_register_device_override()
    - x86: Fix .brk attribute in linker script
    - Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table
    - irqchip/stm32-exti: add missing DT IRQ flag translation
    - dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
    - Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
    - fbdev: atyfb: only use ioremap_uc() on i386 and ia64
    - spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0
    - netfilter: nfnetlink_log: silence bogus compiler warning
    - ASoC: rt5650: fix the wrong result of key button
    - fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
    - scsi: mpt3sas: Fix in error path
    - platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
    - platform/mellanox: mlxbf-tmfifo: Fix a warning message
    - net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
    - ata: ahci: fix enum constants for gcc-13
    - remove the sx8 block driver
    - [Config] remove CONFIG_BLK_DEV_SX8
    - Revert "ARM: dts: Move am33xx and am43xx mmc nodes to sdhci-omap driver"
    - PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
    - usb: storage: set 1.50 as the lower bcdDevice for older "Super Top"
      compatibility
    - tty: 8250: Remove UC-257 and UC-431
    - tty: 8250: Add support for additional Brainboxes UC cards
    - tty: 8250: Add support for Brainboxes UP cards
    - tty: 8250: Add support for Intashield IS-100
    - Linux 5.4.260

* CVE-2023-51779
    - Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg

* CVE-2023-22995
    - usb: dwc3: dwc3-qcom: Add missing platform_device_put() in
      dwc3_qcom_acpi_register_core

-- Stefan Bader <stefan.bader@canonical.com>  Fri, 02 Feb 2024 14:22:27 +0100

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package