This bug was fixed in the package linux-raspi - 5.4.0-1114.126 --------------- linux-raspi (5.4.0-1114.126) focal; urgency=medium * focal/linux-raspi: 5.4.0-1114.126 -proposed tracker (LP: #2072271) [ Ubuntu: 5.4.0-192.212 ] * focal/linux: 5.4.0-192.212 -proposed tracker (LP: #2072305) * Focal update: v5.4.278 upstream stable release (LP: #2071668) - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs - speakup: Fix sizeof() vs ARRAY_SIZE() bug - ring-buffer: Fix a race between readers and resize checks - net: smc91x: Fix m68k kernel compilation for ColdFire CPU - nilfs2: fix unexpected freezing of nilfs_segctor_sync() - nilfs2: fix potential hang in nilfs_detach_log_writer() - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt class - net: usb: qmi_wwan: add Telit FN920C04 compositions - drm/amd/display: Set color_mgmt_changed to true on unsuspend - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property - ASoC: da7219-aad: fix usage of device_get_named_child_node() - drm/amdkfd: Flush the process wq before creating a kfd_process - nvme: find numa distance only if controller has valid numa id - openpromfs: finish conversion to the new mount API - crypto: bcm - Fix pointer arithmetic - firmware: raspberrypi: Use correct device for DMA mappings - ecryptfs: Fix buffer size for tag 66 packet - nilfs2: fix out-of-range warning - parisc: add missing export of __cmpxchg_u8() - crypto: ccp - drop platform ifdef checks - s390/cio: fix tracepoint subchannel type field - jffs2: prevent xattr node from overflowing the eraseblock - null_blk: Fix missing mutex_destroy() at module removal - md: fix resync softlockup when bitmap size is less than array size - wifi: ath10k: poll service ready message before failing - x86/boot: Ignore relocations in .notes sections in walk_relocs() too - qed: avoid truncating work queue length - scsi: ufs: qcom: Perform read back after writing reset bit - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV - scsi: ufs: core: Perform read back after disabling interrupts - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL - irqchip/alpine-msi: Fix off-by-one in allocation error path - ACPI: disable -Wstringop-truncation - cpufreq: Reorganize checks in cpufreq_offline() - cpufreq: Split cpufreq_offline() - cpufreq: Rearrange locking in cpufreq_remove_dev() - cpufreq: exit() callback is optional - scsi: libsas: Fix the failure of adding phy with zero-address to port - scsi: hpsa: Fix allocation size for Scsi_Host private data - x86/purgatory: Switch to the position-independent small code model - wifi: ath10k: Fix an error code problem in ath10k_dbg_sta_write_peer_debug_trigger() - wifi: ath10k: populate board data for WCN3990 - tcp: minor optimization in tcp_add_backlog() - tcp: fix a signed-integer-overflow bug in tcp_add_backlog() - tcp: avoid premature drops in tcp_add_backlog() - macintosh/via-macii: Fix "BUG: sleeping function called from invalid context" - wifi: carl9170: add a proper sanity check for endpoints - wifi: ar5523: enable proper endpoint verification - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe() - Revert "sh: Handle calling csum_partial with misaligned data" - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors - scsi: bfa: Ensure the copied buf is NUL terminated - scsi: qedf: Ensure the copied buf is NUL terminated - wifi: mwl8k: initialize cmd->addr[] properly - usb: aqc111: stop lying about skb->truesize - net: usb: sr9700: stop lying about skb->truesize - m68k: Fix spinlock race in kernel thread creation - m68k: mac: Fix reboot hang on Mac IIci - net: ethernet: cortina: Locking fixes - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg - net: usb: smsc95xx: stop lying about skb->truesize - net: openvswitch: fix overwriting ct original tuple for ICMPv6 - ipv6: sr: add missing seg6_local_exit - ipv6: sr: fix incorrect unregister order - ipv6: sr: fix invalid unregister error path - drm/amd/display: Fix potential index out of bounds in color transformation function - mtd: rawnand: hynix: fixed typo - fbdev: shmobile: fix snprintf truncation - drm/mediatek: Add 0 size check to mtk_drm_gem_obj - powerpc/fsl-soc: hide unused const variable - fbdev: sisfb: hide unused variables - media: ngene: Add dvb_ca_en50221_init return value check - media: radio-shark2: Avoid led_names truncations - platform/x86: wmi: Make two functions static - fbdev: sh7760fb: allow modular build - drm/arm/malidp: fix a possible null pointer dereference - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector - RDMA/hns: Use complete parentheses in macros - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map - ext4: avoid excessive credit estimate in ext4_tmpfile() - sunrpc: removed redundant procp check - SUNRPC: Fix gss_free_in_token_pages() - selftests/kcmp: Make the test output consistent and clear - selftests/kcmp: remove unused open mode - RDMA/IPoIB: Fix format truncation compilation errors - netrom: fix possible dead-lock in nr_rt_ioctl() - af_packet: do not call packet_read_pending() from tpacket_destruct_skb() - sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax - sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level - greybus: lights: check return of get_channel_from_mode - soundwire: cadence/intel: simplify PDI/port mapping - soundwire: intel: don't filter out PDI0/1 - soundwire: cadence_master: improve PDI allocation - soundwire: cadence: fix invalid PDI offset - dmaengine: idma64: Add check for dma_set_max_seg_size - firmware: dmi-id: add a release callback function - serial: max3100: Lock port->lock when calling uart_handle_cts_change() - serial: max3100: Update uart_driver_registered on driver removal - serial: max3100: Fix bitwise types - greybus: arche-ctrl: move device table to its right location - iio: pressure: dps310: support negative temperature values - microblaze: Remove gcc flag for non existing early_printk.c file - microblaze: Remove early printk call from cpuinfo-static.c - usb: gadget: u_audio: Clear uac pointer when freed. - stm class: Fix a double free in stm_register_device() - ppdev: Remove usage of the deprecated ida_simple_xx() API - ppdev: Add an error check in register_device - extcon: max8997: select IRQ_DOMAIN instead of depending on it - f2fs: fix to release node block count in error path of f2fs_new_node_page() - serial: sh-sci: protect invalidating RXDMA on shutdown - libsubcmd: Fix parse-options memory leak - Input: ims-pcu - fix printf string overflow - Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation - drm/msm/dpu: Always flush the slave INTF on the CTL - um: Fix return value in ubd_init() - um: Add winch to winch_handlers before registering winch IRQ - media: stk1160: fix bounds checking in stk1160_copy_video() - scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy() - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp - um: Fix the -Wmissing-prototypes warning for __switch_mm - media: cec: cec-adap: always cancel work in cec_transmit_msg_fh - media: cec: cec-api: add locking in cec_release() - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION() - x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when UNWINDER_FRAME_POINTER=y - [Config] Update CONFIG_ARCH_WANT_FRAME_POINTERS - nfc: nci: Fix uninit-value in nci_rx_work - sunrpc: fix NFSACL RPC retry on soft mount - ipv6: sr: fix memleak in seg6_hmac_init_algo - params: lift param_set_uint_minmax to common code - tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). - openvswitch: Set the skbuff pkt_type for proper pmtud support. - arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails - net: fec: avoid lock evasion when reading pps_enable - nfc: nci: Fix kcov check in nci_rx_work() - nfc: nci: Fix handling of zero-length payload packets in nci_rx_work() - netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() - spi: Don't mark message DMA mapped when no transfer in it is - nvmet: fix ns enable/disable possible hang - net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion - dma-buf/sw-sync: don't enable IRQ from sync_print_obj() - enic: Validate length of nl attributes in enic_set_vf_port - smsc95xx: remove redundant function arguments - smsc95xx: use usbnet->driver_priv - net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM - net:fec: Add fec_enet_deinit() - netfilter: tproxy: bail out if IP has been disabled on the device - kconfig: fix comparison to constant symbols, 'm', 'n' - spi: stm32: Don't warn about spurious interrupts - ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound - ALSA: timer: Set lower bound of start tick time - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline - SUNRPC: Fix loop termination condition in gss_free_in_token_pages() - binder: fix max_thread type inconsistency - mmc: core: Do not force a retune before RPMB switch - io_uring: fail NOP if non-zero op flags is passed in - afs: Don't cross .backup mountpoint from backup volume - nilfs2: fix use-after-free of timer for log writer thread - vxlan: Fix regression when dropping packets due to invalid src addresses - x86/mm: Remove broken vsyscall emulation code from the page fault code - f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() - media: lgdt3306a: Add a check against null-pointer-def - drm/amdgpu: add error handle to avoid out-of-bounds - ata: pata_legacy: make legacy_exit() work again - ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx - arm64: tegra: Correct Tegra132 I2C alias - md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING - wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU - arm64: dts: hi3798cv200: fix the size of GICR - media: mc: mark the media devnode as registered from the, start - media: mxl5xx: Move xpt structures off stack - media: v4l2-core: hold videodev_lock until dev reg, finishes - fbdev: savage: Handle err return when savagefb_check_var failed - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode - crypto: ecrdsa - Fix module auto-load on add_key - crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak - net/ipv6: Fix route deleting failure when metric equals 0 - net/9p: fix uninit-value in p9_client_rpc() - intel_th: pci: Add Meteor Lake-S CPU support - sparc64: Fix number of online CPUs - kdb: Fix buffer overflow during tab-complete - kdb: Use format-strings rather than '\0' injection in kdb_read() - kdb: Fix console handling when editing and tab-completing commands - kdb: Merge identical case statements in kdb_read() - kdb: Use format-specifiers rather than memset() for padding in kdb_read() - net: fix __dst_negative_advice() race - xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING - sparc: move struct termio to asm/termios.h - ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find() - s390/ap: Fix crash in AP internal function modify_bitmap() - nfs: fix undefined behavior in nfs_block_bits() - Linux 5.4.278 * CVE-2024-27019 - netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV - netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() * CVE-2024-26886 - Bluetooth: af_bluetooth: Fix deadlock * CVE-2023-52752 - smb: client: fix use-after-free bug in cifs_debug_data_proc_show() * CVE-2022-48674 - erofs: fix pcluster use-after-free on UP platforms * Focal update: v5.4.277 upstream stable release (LP: #2070179) - pinctrl: core: handle radix_tree_insert() errors in pinctrl_register_one_pin() - ext4: fix bug_on in __es_tree_search - Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems" - Revert "net: bcmgenet: use RGMII loopback for MAC reset" - net: bcmgenet: keep MAC in reset until PHY is up - net: bcmgenet: synchronize EXT_RGMII_OOB_CTRL access - net: bcmgenet: synchronize use of bcmgenet_set_rx_mode() - net: bcmgenet: synchronize UMAC_CMD access - smb: client: fix potential OOBs in smb2_parse_contexts() - arm64: dts: qcom: Fix 'interrupt-map' parent address cells - btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() - drm/amdgpu: Fix possible NULL dereference in amdgpu_ras_query_error_status_helper() - usb: typec: ucsi: displayport: Fix potential deadlock - serial: kgdboc: Fix NMI-safety problems from keyboard reset code - docs: kernel_include.py: Cope with docutils 0.21 - Linux 5.4.277 * Focal update: v5.4.276 upstream stable release (LP: #2069758) - dmaengine: pl330: issue_pending waits until WFP state - dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state" - wifi: nl80211: don't free NULL coalescing rule - pinctrl: core: delete incorrect free in pinctrl_enable() - pinctrl: mediatek: Check gpio pin number and use binary search in mtk_hw_pin_field_lookup() - pinctrl: mediatek: Supporting driving setting without mapping current to register value - pinctrl: mediatek: Refine mtk_pinconf_get() and mtk_pinconf_set() - pinctrl: mediatek: Refine mtk_pinconf_get() - pinctrl: mediatek: Backward compatible to previous Mediatek's bias-pull usage - pinctrl: mediatek: remove shadow variable declaration - pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback - pinctrl: mediatek: paris: Rework mtk_pinconf_{get,set} switch/case logic - pinctrl: mediatek: paris: Rework support for PIN_CONFIG_{INPUT,OUTPUT}_ENABLE - sunrpc: add a struct rpc_stats arg to rpc_create_args - nfs: expose /proc/net/sunrpc/nfs in net namespaces - nfs: make the rpc_stat per net namespace - nfs: Handle error of rpc_proc_register() in nfs_net_init(). - power: rt9455: hide unused rt9455_boost_voltage_values - pinctrl: devicetree: fix refcount leak in pinctrl_dt_to_map() - s390/mm: Fix storage key clearing for guest huge pages - s390/mm: Fix clearing storage keys for huge pages - bna: ensure the copied buf is NUL terminated - nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). - net l2tp: drop flow hash on forward - net: qede: use return from qede_parse_flow_attr() for flow_spec - net: dsa: mv88e6xxx: Add number of MACs in the ATU - net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341 - net: bridge: fix multicast-to-unicast with fraglist GSO - tipc: fix a possible memleak in tipc_buf_append - clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change - scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic - gfs2: Fix invalid metadata access in punch_hole - wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc - wifi: cfg80211: fix rdev_dump_mpp() arguments order - net: mark racy access on sk->sk_rcvbuf - scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload - ALSA: line6: Zero-initialize message buffers - net: bcmgenet: Reset RBUF on first open - ata: sata_gemini: Check clk_enable() result - firewire: ohci: mask bus reset interrupts between ISR and bottom half - tools/power turbostat: Fix added raw MSR output - tools/power turbostat: Fix Bzy_MHz documentation typo - btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve - btrfs: always clear PERTRANS metadata during commit - scsi: target: Fix SELinux error when systemd-modules loads the target module - gpu: host1x: Do not setup DMA for virtual devices - MIPS: scall: Save thread_info.syscall unconditionally on entry - selftests: timers: Fix valid-adjtimex signed left-shift undefined behavior - fs/9p: only translate RWX permissions for plain 9P2000 - fs/9p: translate O_TRUNC into OTRUNC - 9p: explicitly deny setlease attempts - gpio: wcove: Use -ENOTSUPP consistently - gpio: crystalcove: Use -ENOTSUPP consistently - clk: Don't hold prepare_lock when calling kref_put() - fs/9p: drop inodes immediately on non-.L too - net:usb:qmi_wwan: support Rolling modules - pinctrl: mediatek: Fix fallback call path - xfrm: Preserve vlan tags for transport mode software GRO - tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets - tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). - Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout - Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout - rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation - phonet: fix rtm_phonet_notify() skb allocation - net: bridge: fix corrupted ethernet header on multicast-to-unicast - ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() - net: qede: sanitize 'rc' in qede_add_tc_flower_fltr() - net: qede: use return from qede_parse_flow_attr() for flower - firewire: nosy: ensure user_length is taken into account when fetching packet contents - usb: gadget: composite: fix OS descriptors w_value logic - usb: gadget: f_fs: Fix a race condition when processing setup packets. - tipc: fix UAF in error path - dyndbg: fix old BUG_ON in >control parser - drm/vmwgfx: Fix invalid reads in fence signaled events - net: fix out-of-bounds access in ops_init - regulator: core: fix debugfs creation regression - pinctrl: mediatek: Fix fallback behavior for bias_set_combo - pinctrl: mediatek: Fix some off by one bugs - pinctrl: mediatek: remove set but not used variable 'e' - pinctrl: mediatek: paris: Fix PIN_CONFIG_INPUT_SCHMITT_ENABLE readback - Linux 5.4.276 * Freezing user space processes failed after 20.008 seconds (1 tasks refusing to freeze, wq_busy=0) (LP: #2061091) - ALSA: Fix deadlocks with kctl removals at disconnection * CVE-2024-36016 - tty: n_gsm: fix possible out-of-bounds in gsm0_receive() * CVE-2022-48655 - firmware: arm_scmi: Harden accesses to the reset domains * CVE-2024-26907 - RDMA/mlx5: Fix fortify source warning while accessing Eth segment * CVE-2024-26585 - tls: fix race between tx work scheduling and socket close * CVE-2024-26584 - net: tls: handle backlogging of crypto requests * CVE-2024-26583 - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU - net/tls: Fix use-after-free after the TLS device goes down and up - tls: splice_read: fix record type check - tls splice: remove inappropriate flags checking for MSG_PEEK - tls: splice_read: fix accessing pre-processed records - tls: Fix context leak on tls_device_down - net/tls: Check for errors in tls_device_init - net/tls: Remove the context from the list in tls_device_down - net/tls: pass context to tls_device_decrypted() - net/tls: Perform immediate device ctx cleanup when possible - net/tls: Multi-threaded calls to TX tls_dev_del - net: tls: avoid discarding data on record close - tls: rx: don't store the record type in socket context - tls: rx: don't store the decryption status in socket context - tls: rx: don't issue wake ups when data is decrypted - tls: rx: refactor decrypt_skb_update() - tls: hw: rx: use return value of tls_device_decrypted() to carry status - tls: rx: drop unnecessary arguments from tls_setup_from_iter() - tls: rx: don't report text length from the bowels of decrypt - tls: rx: wrap decryption arguments in a structure - tls: rx: factor out writing ContentType to cmsg - tls: rx: don't track the async count - tls: rx: assume crypto always calls our callback - tls: rx: use async as an in-out argument - tls: decrement decrypt_pending if no async completion will be called - net: tls: fix async vs NIC crypto offload - tls: rx: simplify async wait - tls: extract context alloc/initialization out of tls_set_sw_offload - net: tls: factor out tls_*crypt_async_wait() - tls: fix race between async notify and socket close -- Manuel Diewald