{ "summary": { "snap": { "added": [], "removed": [], "diff": [ "core20" ] }, "deb": { "added": [ "linux-headers-5.15.0-122", "linux-headers-5.15.0-122-generic", "linux-image-5.15.0-122-generic", "linux-modules-5.15.0-122-generic" ], "removed": [ "linux-headers-5.15.0-119", "linux-headers-5.15.0-119-generic", "linux-image-5.15.0-119-generic", "linux-modules-5.15.0-119-generic" ], "diff": [ "apparmor", "ca-certificates", "cloud-init", "curl", "libapparmor1", "libcurl3-gnutls", "libcurl4", "libexpat1", "libmm-glib0", "libpcap0.8", "libpython3.10", "libpython3.10-minimal", "libpython3.10-stdlib", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "python3-configobj", "python3-pkg-resources", "python3-setuptools", "python3.10", "python3.10-minimal", "ubuntu-advantage-tools", "ubuntu-minimal", "ubuntu-pro-client", "ubuntu-pro-client-l10n", "ubuntu-server", "ubuntu-standard", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "3.0.4-2ubuntu2.3build2", "version": "3.0.4-2ubuntu2.3build2" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "3.0.4-2ubuntu2.4", "version": "3.0.4-2ubuntu2.4" }, "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "launchpad_bugs_fixed": [ 1597017 ], "changes": [ { "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)", " - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount", " rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h", " and fix multiple test cases in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:", " update rule qualifiers in regression tests in", " tests/regression/apparmor/mkprofile.pl and", " tests/regression/apparmor/capabilities.sh.", " - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount", " regression tests in tests/regression/apparmor/mount.c,", " tests/regression/apparmor/mount.sh and", " tests/regression/apparmor/mkprofile.pl.", " - d/p/CVE-2016-1585/Check-for-newer-mount-options-in-regression-test.patch:", " add check for newer mount options in regression tests in", " tests/regression/apparmor/Makefile, tests/regression/apparmor/mount.c", " and tests/regression/apparmor/mount.sh.", " - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:", " add missing kernel mount options flag in parser/apparmor.d.pod,", " parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh", " and parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update", " test profiles in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:", " update gen_policy_change_mount_type() in parser/mount.cc and also", " updated tests on parser/tst/simple_tests/mount/* and", " tests/regression/apparmor/mount.sh.", " - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:", " remove deprecation warning message in parser/mount.cc.", " - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:", " add device checks in gen_flag_rules() in parser/mount.cc and tests", " in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,", " tests/regression/apparmor/mount.sh and", " utils/test/test-parser-simple-tests.py.", " - CVE-2016-1585", "" ], "package": "apparmor", "version": "3.0.4-2ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 1597017 ], "author": "Rodrigo Figueiredo Zaiden ", "date": "Tue, 06 Mar 2024 15:35:00 -0300" } ], "notes": null }, { "name": "ca-certificates", "from_version": { "source_package_name": "ca-certificates", "source_package_version": "20230311ubuntu0.22.04.1", "version": "20230311ubuntu0.22.04.1" }, "to_version": { "source_package_name": "ca-certificates", "source_package_version": "20240203~22.04.1", "version": "20240203~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2081875 ], "changes": [ { "cves": [], "log": [ "", " * Update ca-certificates database to 20240203 (LP: #2081875)", " - Update Mozilla certificate authority bundle to version 2.64", " The following certificate authorities were added (+):", " + Atos TrustedRoot Root CA ECC TLS 2021", " + Atos TrustedRoot Root CA RSA TLS 2021", " + BJCA Global Root CA1", " + BJCA Global Root CA2", " + CommScope Public Trust ECC Root-01", " + CommScope Public Trust ECC Root-02", " + CommScope Public Trust RSA Root-01", " + CommScope Public Trust RSA Root-02", " + Sectigo Public Server Authentication Root E46", " + Sectigo Public Server Authentication Root R46", " + SSL.com TLS ECC Root CA 2022", " + SSL.com TLS RSA Root CA 2022", " + TrustAsia Global Root CA G3", " + TrustAsia Global Root CA G4", " The following certificate authorities were removed (-):", " - Autoridad de Certificacion Firmaprofesional CIF A62634068", " - E-Tugra Certification Authority", " - E-Tugra Global Root CA ECC v3", " - E-Tugra Global Root CA RSA v3", " - Hongkong Post Root CA 1", " - TrustCor ECA-1", " - TrustCor RootCert CA-1", " - TrustCor RootCert CA-2", "" ], "package": "ca-certificates", "version": "20240203~22.04.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2081875 ], "author": "Marc Deslauriers ", "date": "Tue, 24 Sep 2024 13:46:09 -0400" } ], "notes": null }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "24.2-0ubuntu1~22.04.1", "version": "24.2-0ubuntu1~22.04.1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "24.3.1-0ubuntu0~22.04.1", "version": "24.3.1-0ubuntu0~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2079224 ], "changes": [ { "cves": [], "log": [ "", " * d/p/no-single-process.patch: Remove single process optimization", " * d/p/no-nocloud-network.patch: Remove nocloud network feature", " * refresh patches:", " - d/p/cli-retain-file-argument-as-main-cmd-arg.patch", " - d/p/revert-551f560d-cloud-config-after-snap-seeding.patch", " * Upstream snapshot based on 24.3.1. (LP: #2079224).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/24.3.1/ChangeLog", "" ], "package": "cloud-init", "version": "24.3.1-0ubuntu0~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2079224 ], "author": "Chad Smith ", "date": "Fri, 06 Sep 2024 10:00:51 -0600" } ], "notes": null }, { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.17", "version": "7.81.0-1ubuntu1.17" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.18", "version": "7.81.0-1ubuntu1.18" }, "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OCSP stapling bypass with GnuTLS", " - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in", " lib/vtls/gtls.c.", " - CVE-2024-8096", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.18", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 06 Sep 2024 07:38:40 -0400" } ], "notes": null }, { "name": "libapparmor1", "from_version": { "source_package_name": "apparmor", "source_package_version": "3.0.4-2ubuntu2.3build2", "version": "3.0.4-2ubuntu2.3build2" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "3.0.4-2ubuntu2.4", "version": "3.0.4-2ubuntu2.4" }, "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "launchpad_bugs_fixed": [ 1597017 ], "changes": [ { "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)", " - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount", " rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h", " and fix multiple test cases in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:", " update rule qualifiers in regression tests in", " tests/regression/apparmor/mkprofile.pl and", " tests/regression/apparmor/capabilities.sh.", " - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount", " regression tests in tests/regression/apparmor/mount.c,", " tests/regression/apparmor/mount.sh and", " tests/regression/apparmor/mkprofile.pl.", " - d/p/CVE-2016-1585/Check-for-newer-mount-options-in-regression-test.patch:", " add check for newer mount options in regression tests in", " tests/regression/apparmor/Makefile, tests/regression/apparmor/mount.c", " and tests/regression/apparmor/mount.sh.", " - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:", " add missing kernel mount options flag in parser/apparmor.d.pod,", " parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh", " and parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update", " test profiles in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:", " update gen_policy_change_mount_type() in parser/mount.cc and also", " updated tests on parser/tst/simple_tests/mount/* and", " tests/regression/apparmor/mount.sh.", " - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:", " remove deprecation warning message in parser/mount.cc.", " - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:", " add device checks in gen_flag_rules() in parser/mount.cc and tests", " in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,", " tests/regression/apparmor/mount.sh and", " utils/test/test-parser-simple-tests.py.", " - CVE-2016-1585", "" ], "package": "apparmor", "version": "3.0.4-2ubuntu2.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 1597017 ], "author": "Rodrigo Figueiredo Zaiden ", "date": "Tue, 06 Mar 2024 15:35:00 -0300" } ], "notes": null }, { "name": "libcurl3-gnutls", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.17", "version": "7.81.0-1ubuntu1.17" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.18", "version": "7.81.0-1ubuntu1.18" }, "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OCSP stapling bypass with GnuTLS", " - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in", " lib/vtls/gtls.c.", " - CVE-2024-8096", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.18", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 06 Sep 2024 07:38:40 -0400" } ], "notes": null }, { "name": "libcurl4", "from_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.17", "version": "7.81.0-1ubuntu1.17" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.81.0-1ubuntu1.18", "version": "7.81.0-1ubuntu1.18" }, "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OCSP stapling bypass with GnuTLS", " - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in", " lib/vtls/gtls.c.", " - CVE-2024-8096", "" ], "package": "curl", "version": "7.81.0-1ubuntu1.18", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 06 Sep 2024 07:38:40 -0400" } ], "notes": null }, { "name": "libexpat1", "from_version": { "source_package_name": "expat", "source_package_version": "2.4.7-1ubuntu0.3", "version": "2.4.7-1ubuntu0.3" }, "to_version": { "source_package_name": "expat", "source_package_version": "2.4.7-1ubuntu0.4", "version": "2.4.7-1ubuntu0.4" }, "cves": [ { "cve": "CVE-2024-45490", "url": "https://ubuntu.com/security/CVE-2024-45490", "cve_description": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45491", "url": "https://ubuntu.com/security/CVE-2024-45491", "cve_description": "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45492", "url": "https://ubuntu.com/security/CVE-2024-45492", "cve_description": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-45490", "url": "https://ubuntu.com/security/CVE-2024-45490", "cve_description": "An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45491", "url": "https://ubuntu.com/security/CVE-2024-45491", "cve_description": "An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" }, { "cve": "CVE-2024-45492", "url": "https://ubuntu.com/security/CVE-2024-45492", "cve_description": "An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).", "cve_priority": "medium", "cve_public_date": "2024-08-30 03:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: invalid input length", " - CVE-2024-45490-*.patch: adds a check to the XML_ParseBuffer function of", " expat/lib/xmlparse.c to identify and error out if a negative length is", " provided.", " - CVE-2024-45490", " * SECURITY UPDATE: integer overflow", " - CVE-2024-45491.patch: adds a check to the dtdCopy function of", " expat/lib/xmlparse.c to detect and prevent an integer overflow.", " - CVE-2024-45491", " * SECURITY UPDATE: integer overflow", " - CVE-2024-45492.patch: adds a check to the nextScaffoldPart function of", " expat/lib/xmlparse.c to detect and prevent an integer overflow.", " - CVE-2024-45492", "" ], "package": "expat", "version": "2.4.7-1ubuntu0.4", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Tue, 10 Sep 2024 13:17:45 +0300" } ], "notes": null }, { "name": "libmm-glib0", "from_version": { "source_package_name": "modemmanager", "source_package_version": "1.20.0-1~ubuntu22.04.3", "version": "1.20.0-1~ubuntu22.04.3" }, "to_version": { "source_package_name": "modemmanager", "source_package_version": "1.20.0-1~ubuntu22.04.4", "version": "1.20.0-1~ubuntu22.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2067240 ], "changes": [ { "cves": [], "log": [ "", " * Apply the newer modemmanager commits from 1.22.0 to the LTS as part of", " new hardware enablement including Quectel EM061K-GL/EM160/RM520N modems", " (lp: #2067240)", "" ], "package": "modemmanager", "version": "1.20.0-1~ubuntu22.04.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2067240 ], "author": "Atlas Yu ", "date": "Thu, 18 Jul 2024 16:24:32 +0200" } ], "notes": null }, { "name": "libpcap0.8", "from_version": { "source_package_name": "libpcap", "source_package_version": "1.10.1-4build1", "version": "1.10.1-4build1" }, "to_version": { "source_package_name": "libpcap", "source_package_version": "1.10.1-4ubuntu1.22.04.1", "version": "1.10.1-4ubuntu1.22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2076398 ], "changes": [ { "cves": [], "log": [ "", " * Tcpdump utility captures incorrect packets on VLAN interface when using", " SLL2 (LP: #2076398)", " - d/p/lp2076398-linux-set-handlep-vlan_offset-if-the-linktype-is-cha.patch", "" ], "package": "libpcap", "version": "1.10.1-4ubuntu1.22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076398 ], "author": "Chengen Du ", "date": "Fri, 09 Aug 2024 08:13:59 +0000" } ], "notes": null }, { "name": "libpython3.10", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088-1.patch: sanitize names in zipfile.Path", " in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - debian/patches/CVE-2024-8088-2.patch: replaced SanitizedNames with a", " more surgical fix in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 11:47:36 -0400" } ], "notes": null }, { "name": "libpython3.10-minimal", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088-1.patch: sanitize names in zipfile.Path", " in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - debian/patches/CVE-2024-8088-2.patch: replaced SanitizedNames with a", " more surgical fix in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 11:47:36 -0400" } ], "notes": null }, { "name": "libpython3.10-stdlib", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088-1.patch: sanitize names in zipfile.Path", " in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - debian/patches/CVE-2024-8088-2.patch: replaced SanitizedNames with a", " more surgical fix in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 11:47:36 -0400" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.119.119", "version": "5.15.0.119.119" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.122.122", "version": "5.15.0.122.122" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-122", "" ], "package": "linux-meta", "version": "5.15.0.122.122", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:47:14 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-121", "" ], "package": "linux-meta", "version": "5.15.0.121.121", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 09 Aug 2024 10:15:59 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-120", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.15.0.120.120", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:12:09 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.119.119", "version": "5.15.0.119.119" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.122.122", "version": "5.15.0.122.122" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-122", "" ], "package": "linux-meta", "version": "5.15.0.122.122", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:47:14 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-121", "" ], "package": "linux-meta", "version": "5.15.0.121.121", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 09 Aug 2024 10:15:59 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-120", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.15.0.120.120", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:12:09 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.119.119", "version": "5.15.0.119.119" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.122.122", "version": "5.15.0.122.122" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-122", "" ], "package": "linux-meta", "version": "5.15.0.122.122", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:47:14 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-121", "" ], "package": "linux-meta", "version": "5.15.0.121.121", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 09 Aug 2024 10:15:59 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-120", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.15.0.120.120", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:12:09 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.119.119", "version": "5.15.0.119.119" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.15.0.122.122", "version": "5.15.0.122.122" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.15.0-122", "" ], "package": "linux-meta", "version": "5.15.0.122.122", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:47:14 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-121", "" ], "package": "linux-meta", "version": "5.15.0.121.121", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Fri, 09 Aug 2024 10:15:59 +0200" }, { "cves": [], "log": [ "", " * Bump ABI 5.15.0-120", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "5.15.0.120.120", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:12:09 +0200" } ], "notes": null }, { "name": "python3-configobj", "from_version": { "source_package_name": "configobj", "source_package_version": "5.0.6-5", "version": "5.0.6-5" }, "to_version": { "source_package_name": "configobj", "source_package_version": "5.0.6-5ubuntu0.1", "version": "5.0.6-5ubuntu0.1" }, "cves": [ { "cve": "CVE-2023-26112", "url": "https://ubuntu.com/security/CVE-2023-26112", "cve_description": "All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\\((.*)\\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.", "cve_priority": "low", "cve_public_date": "2023-04-03 05:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-26112", "url": "https://ubuntu.com/security/CVE-2023-26112", "cve_description": "All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\\((.*)\\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.", "cve_priority": "low", "cve_public_date": "2023-04-03 05:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: ReDoS", " - debian/patches/CVE-2023-26112.patch: updates regex that can cause", " catastrophic backtracking when a match fails in validate.py and adds a", " test in tests/test_validate_errors.py.", " - CVE-2023-26112", "" ], "package": "configobj", "version": "5.0.6-5ubuntu0.1", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Ian Constantin ", "date": "Fri, 20 Sep 2024 14:44:09 +0300" } ], "notes": null }, { "name": "python3-pkg-resources", "from_version": { "source_package_name": "setuptools", "source_package_version": "59.6.0-1.2ubuntu0.22.04.1", "version": "59.6.0-1.2ubuntu0.22.04.1" }, "to_version": { "source_package_name": "setuptools", "source_package_version": "59.6.0-1.2ubuntu0.22.04.2", "version": "59.6.0-1.2ubuntu0.22.04.2" }, "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: remote code execution via package download functions", " - debian/patches/CVE-2024-6345.patch: modernize and fix VCS handling", " to prevent code injection in setuptools/package_index.py and", " setuptools/tests/test_packageindex.py. Also update setup.cfg to", " include new test dependencies.", " - CVE-2024-6345", "" ], "package": "setuptools", "version": "59.6.0-1.2ubuntu0.22.04.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Thu, 05 Sep 2024 11:08:23 +0530" } ], "notes": null }, { "name": "python3-setuptools", "from_version": { "source_package_name": "setuptools", "source_package_version": "59.6.0-1.2ubuntu0.22.04.1", "version": "59.6.0-1.2ubuntu0.22.04.1" }, "to_version": { "source_package_name": "setuptools", "source_package_version": "59.6.0-1.2ubuntu0.22.04.2", "version": "59.6.0-1.2ubuntu0.22.04.2" }, "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-6345", "url": "https://ubuntu.com/security/CVE-2024-6345", "cve_description": "A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "cve_priority": "medium", "cve_public_date": "2024-07-15 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: remote code execution via package download functions", " - debian/patches/CVE-2024-6345.patch: modernize and fix VCS handling", " to prevent code injection in setuptools/package_index.py and", " setuptools/tests/test_packageindex.py. Also update setup.cfg to", " include new test dependencies.", " - CVE-2024-6345", "" ], "package": "setuptools", "version": "59.6.0-1.2ubuntu0.22.04.2", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Thu, 05 Sep 2024 11:08:23 +0530" } ], "notes": null }, { "name": "python3.10", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088-1.patch: sanitize names in zipfile.Path", " in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - debian/patches/CVE-2024-8088-2.patch: replaced SanitizedNames with a", " more surgical fix in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 11:47:36 -0400" } ], "notes": null }, { "name": "python3.10-minimal", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.5", "version": "3.10.12-1~22.04.5" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.6", "version": "3.10.12-1~22.04.6" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088-1.patch: sanitize names in zipfile.Path", " in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - debian/patches/CVE-2024-8088-2.patch: replaced SanitizedNames with a", " more surgical fix in Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 11:47:36 -0400" } ], "notes": null }, { "name": "ubuntu-advantage-tools", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "33.2~22.04", "version": "33.2~22.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "34~22.04", "version": "34~22.04" }, "cves": [], "launchpad_bugs_fixed": [ 2075543, 2075543, 2074211, 2055239, 2078737 ], "changes": [ { "cves": [], "log": [ "", " * Backport 34 to jammy (LP: #2075543)", "" ], "package": "ubuntu-advantage-tools", "version": "34~22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2075543 ], "author": "Grant Orndorff ", "date": "Fri, 06 Sep 2024 19:58:22 -0400" }, { "cves": [], "log": [ "", " * d/rules: check that version.py is consistent with changelog (GH: #3154)", " * New upstream release 34: (LP: #2075543)", " - apt-hook: redirect errors away from users (LP: #2074211, LP: #2055239)", " - detach: ensure apt bearer tokens are always cleaned up", " - fips-preview: add warnings and prompts similar to fips and fips-updates", " - fips and realtime-kernel: add warning when the new kernel may have", " different hardware support than the current kernel based on the flavor", " (GH: #3115)", " - fix: use more reliable api query param when looking up CVE fixes", " - help:", " + change help output for base pro command", " + remove service descriptions from output (GH: #3126)", " + show help content when run without a subcommand", " - timer: recover from corrupted job status file (LP: #2078737)", " - update manpage", "" ], "package": "ubuntu-advantage-tools", "version": "34", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2075543, 2074211, 2055239, 2078737 ], "author": "Grant Orndorff ", "date": "Mon, 29 Jul 2024 15:48:22 -0500" } ], "notes": null }, { "name": "ubuntu-minimal", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.3", "version": "1.481.3" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.4", "version": "1.481.4" }, "cves": [], "launchpad_bugs_fixed": [ 2080223 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies (LP: #2080223)", " * Added apparmor to wsl-recommends", " * Added bash-completion to wsl-recommends", " * Added cloud-init to wsl-recommends", " * Added command-not-found to wsl-recommends", " * Added ed to wsl", " * Added file to wsl", " * Added info to wsl", " * Added landscape-client to wsl-recommends", " * Added libegl1 to wsl", " * Added libgl1 to wsl", " * Added libgtk-3-0 to wsl", " * Added libpam-systemd to wsl", " * Added lsof to wsl", " * Added man-db to wsl", " * Added manpages to wsl-recommends", " * Added media-types to wsl", " * Added nano to wsl-recommends", " * Added openssh-client to wsl-recommends", " * Added psmisc to wsl", " * Added rsync to wsl", " * Added time to wsl", " * Added update-manager-core to wsl-recommends", " * Added wget to wsl", " * Removed htop from wsl", " * Removed screen from wsl", " * Removed tmux from wsl", " * Moved dbus-x11 to wsl", " * Moved fonts-ubuntu to wsl-recommends", "" ], "package": "ubuntu-meta", "version": "1.481.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2080223 ], "author": "Didier Roche-Tolomelli ", "date": "Tue, 10 Sep 2024 15:50:00 +0200" } ], "notes": null }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "33.2~22.04", "version": "33.2~22.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "34~22.04", "version": "34~22.04" }, "cves": [], "launchpad_bugs_fixed": [ 2075543, 2075543, 2074211, 2055239, 2078737 ], "changes": [ { "cves": [], "log": [ "", " * Backport 34 to jammy (LP: #2075543)", "" ], "package": "ubuntu-advantage-tools", "version": "34~22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2075543 ], "author": "Grant Orndorff ", "date": "Fri, 06 Sep 2024 19:58:22 -0400" }, { "cves": [], "log": [ "", " * d/rules: check that version.py is consistent with changelog (GH: #3154)", " * New upstream release 34: (LP: #2075543)", " - apt-hook: redirect errors away from users (LP: #2074211, LP: #2055239)", " - detach: ensure apt bearer tokens are always cleaned up", " - fips-preview: add warnings and prompts similar to fips and fips-updates", " - fips and realtime-kernel: add warning when the new kernel may have", " different hardware support than the current kernel based on the flavor", " (GH: #3115)", " - fix: use more reliable api query param when looking up CVE fixes", " - help:", " + change help output for base pro command", " + remove service descriptions from output (GH: #3126)", " + show help content when run without a subcommand", " - timer: recover from corrupted job status file (LP: #2078737)", " - update manpage", "" ], "package": "ubuntu-advantage-tools", "version": "34", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2075543, 2074211, 2055239, 2078737 ], "author": "Grant Orndorff ", "date": "Mon, 29 Jul 2024 15:48:22 -0500" } ], "notes": null }, { "name": "ubuntu-pro-client-l10n", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "33.2~22.04", "version": "33.2~22.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "34~22.04", "version": "34~22.04" }, "cves": [], "launchpad_bugs_fixed": [ 2075543, 2075543, 2074211, 2055239, 2078737 ], "changes": [ { "cves": [], "log": [ "", " * Backport 34 to jammy (LP: #2075543)", "" ], "package": "ubuntu-advantage-tools", "version": "34~22.04", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2075543 ], "author": "Grant Orndorff ", "date": "Fri, 06 Sep 2024 19:58:22 -0400" }, { "cves": [], "log": [ "", " * d/rules: check that version.py is consistent with changelog (GH: #3154)", " * New upstream release 34: (LP: #2075543)", " - apt-hook: redirect errors away from users (LP: #2074211, LP: #2055239)", " - detach: ensure apt bearer tokens are always cleaned up", " - fips-preview: add warnings and prompts similar to fips and fips-updates", " - fips and realtime-kernel: add warning when the new kernel may have", " different hardware support than the current kernel based on the flavor", " (GH: #3115)", " - fix: use more reliable api query param when looking up CVE fixes", " - help:", " + change help output for base pro command", " + remove service descriptions from output (GH: #3126)", " + show help content when run without a subcommand", " - timer: recover from corrupted job status file (LP: #2078737)", " - update manpage", "" ], "package": "ubuntu-advantage-tools", "version": "34", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2075543, 2074211, 2055239, 2078737 ], "author": "Grant Orndorff ", "date": "Mon, 29 Jul 2024 15:48:22 -0500" } ], "notes": null }, { "name": "ubuntu-server", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.3", "version": "1.481.3" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.4", "version": "1.481.4" }, "cves": [], "launchpad_bugs_fixed": [ 2080223 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies (LP: #2080223)", " * Added apparmor to wsl-recommends", " * Added bash-completion to wsl-recommends", " * Added cloud-init to wsl-recommends", " * Added command-not-found to wsl-recommends", " * Added ed to wsl", " * Added file to wsl", " * Added info to wsl", " * Added landscape-client to wsl-recommends", " * Added libegl1 to wsl", " * Added libgl1 to wsl", " * Added libgtk-3-0 to wsl", " * Added libpam-systemd to wsl", " * Added lsof to wsl", " * Added man-db to wsl", " * Added manpages to wsl-recommends", " * Added media-types to wsl", " * Added nano to wsl-recommends", " * Added openssh-client to wsl-recommends", " * Added psmisc to wsl", " * Added rsync to wsl", " * Added time to wsl", " * Added update-manager-core to wsl-recommends", " * Added wget to wsl", " * Removed htop from wsl", " * Removed screen from wsl", " * Removed tmux from wsl", " * Moved dbus-x11 to wsl", " * Moved fonts-ubuntu to wsl-recommends", "" ], "package": "ubuntu-meta", "version": "1.481.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2080223 ], "author": "Didier Roche-Tolomelli ", "date": "Tue, 10 Sep 2024 15:50:00 +0200" } ], "notes": null }, { "name": "ubuntu-standard", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.3", "version": "1.481.3" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.481.4", "version": "1.481.4" }, "cves": [], "launchpad_bugs_fixed": [ 2080223 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies (LP: #2080223)", " * Added apparmor to wsl-recommends", " * Added bash-completion to wsl-recommends", " * Added cloud-init to wsl-recommends", " * Added command-not-found to wsl-recommends", " * Added ed to wsl", " * Added file to wsl", " * Added info to wsl", " * Added landscape-client to wsl-recommends", " * Added libegl1 to wsl", " * Added libgl1 to wsl", " * Added libgtk-3-0 to wsl", " * Added libpam-systemd to wsl", " * Added lsof to wsl", " * Added man-db to wsl", " * Added manpages to wsl-recommends", " * Added media-types to wsl", " * Added nano to wsl-recommends", " * Added openssh-client to wsl-recommends", " * Added psmisc to wsl", " * Added rsync to wsl", " * Added time to wsl", " * Added update-manager-core to wsl-recommends", " * Added wget to wsl", " * Removed htop from wsl", " * Removed screen from wsl", " * Removed tmux from wsl", " * Moved dbus-x11 to wsl", " * Moved fonts-ubuntu to wsl-recommends", "" ], "package": "ubuntu-meta", "version": "1.481.4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2080223 ], "author": "Didier Roche-Tolomelli ", "date": "Tue, 10 Sep 2024 15:50:00 +0200" } ], "notes": null }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.18", "version": "2:8.2.3995-1ubuntu2.18" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 11:00:01 +0530" } ], "notes": null }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.18", "version": "2:8.2.3995-1ubuntu2.18" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 11:00:01 +0530" } ], "notes": null }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.18", "version": "2:8.2.3995-1ubuntu2.18" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 11:00:01 +0530" } ], "notes": null }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.18", "version": "2:8.2.3995-1ubuntu2.18" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 11:00:01 +0530" } ], "notes": null }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.18", "version": "2:8.2.3995-1ubuntu2.18" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:8.2.3995-1ubuntu2.19", "version": "2:8.2.3995-1ubuntu2.19" }, "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-43802", "url": "https://ubuntu.com/security/CVE-2024-43802", "cve_description": "Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. It's not quite clear yet, what can lead to this situation. It seems to happen when error messages occur (which will cause Vim to flush the typeahead buffer) in comnination with several long mappgins and so it may eventually move the off position out of a valid buffer size. Impact is low since it is not easily reproducible and requires to have several mappings active and run into some error condition. But when this happens, this will cause a crash. The issue has been fixed as of Vim patch v9.1.0697. Users are advised to upgrade. There are no known workarounds for this issue.", "cve_priority": "medium", "cve_public_date": "2024-08-26 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow", " - debian/patches/CVE-2024-43802.patch: check buflen before advancing", " offset.", " - CVE-2024-43802", "" ], "package": "vim", "version": "2:8.2.3995-1ubuntu2.19", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Wed, 25 Sep 2024 11:00:01 +0530" } ], "notes": null } ], "snap": [ { "name": "core20", "from_version": { "source_package_name": null, "source_package_version": null, "version": "2318" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": "2379" } } ] }, "added": { "deb": [ { "name": "linux-headers-5.15.0-122", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-119.129", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-122.132", "version": "5.15.0-122.132" }, "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-39496", "url": "https://ubuntu.com/security/CVE-2024-39496", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-39292", "url": "https://ubuntu.com/security/CVE-2024-39292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26680", "url": "https://ubuntu.com/security/CVE-2024-26680", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: atlantic: Fix DMA mapping for PTP hwts ring Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes for PTP HWTS ring but then generic aq_ring_free() does not take this into account. Create and use a specific function to free HWTS ring to fix this issue. Trace: [ 215.351607] ------------[ cut here ]------------ [ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] [ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360 ... [ 215.581176] Call Trace: [ 215.583632] [ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df [ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df [ 215.594497] ? debug_dma_free_coherent+0x196/0x210 [ 215.599305] ? check_unmap+0xa6f/0x2360 [ 215.603147] ? __warn+0xca/0x1d0 [ 215.606391] ? check_unmap+0xa6f/0x2360 [ 215.610237] ? report_bug+0x1ef/0x370 [ 215.613921] ? handle_bug+0x3c/0x70 [ 215.617423] ? exc_invalid_op+0x14/0x50 [ 215.621269] ? asm_exc_invalid_op+0x16/0x20 [ 215.625480] ? check_unmap+0xa6f/0x2360 [ 215.629331] ? mark_lock.part.0+0xca/0xa40 [ 215.633445] debug_dma_free_coherent+0x196/0x210 [ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10 [ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0 [ 215.648060] dma_free_attrs+0x6d/0x130 [ 215.651834] aq_ring_free+0x193/0x290 [atlantic] [ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic] ... [ 216.127540] ---[ end trace 6467e5964dd2640b ]--- [ 216.132160] DMA-API: Mapped at: [ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0 [ 216.132165] dma_alloc_attrs+0xf5/0x1b0 [ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic] [ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic] [ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2078154, 2076957, 2076100, 2076347, 2076334, 2075903, 1786013, 2075170, 2074215, 2075170, 2073765, 2072858, 2073765, 2073092, 2072617, 2073267, 2073765 ], "changes": [ { "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-39496", "url": "https://ubuntu.com/security/CVE-2024-39496", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-122.132 -proposed tracker (LP: #2078154)", "", " * isolcpus are ignored when using cgroups V2, causing processes to have wrong", " affinity (LP: #2076957)", " - cgroup/cpuset: Optimize cpuset_attach() on v2", "", " * Jammy update: v5.15.164 upstream stable release (LP: #2076100) //", " CVE-2024-41009", " - bpf: Fix overrunning reservations in ringbuf", "", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", "", " * CVE-2024-39496", " - btrfs: zoned: fix use-after-free due to race with dev replace", "", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", "", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", "", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", "", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", "", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux", "version": "5.15.0-122.132", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078154, 2076957, 2076100 ], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:23:02 +0200" }, { "cves": [], "log": [ "", " * jammy/linux: 5.15.0-121.131 -proposed tracker (LP: #2076347)", "", " * jammy:linux bpf selftest do not build (LP: #2076334)", " - SAUCE: Revert \"bpf: Allow reads from uninit stack\"", "" ], "package": "linux", "version": "5.15.0-121.131", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076347, 2076334 ], "author": "Roxana Nicolescu ", "date": "Fri, 09 Aug 2024 10:15:16 +0200" }, { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-39292", "url": "https://ubuntu.com/security/CVE-2024-39292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26680", "url": "https://ubuntu.com/security/CVE-2024-26680", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: atlantic: Fix DMA mapping for PTP hwts ring Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes for PTP HWTS ring but then generic aq_ring_free() does not take this into account. Create and use a specific function to free HWTS ring to fix this issue. Trace: [ 215.351607] ------------[ cut here ]------------ [ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] [ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360 ... [ 215.581176] Call Trace: [ 215.583632] [ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df [ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df [ 215.594497] ? debug_dma_free_coherent+0x196/0x210 [ 215.599305] ? check_unmap+0xa6f/0x2360 [ 215.603147] ? __warn+0xca/0x1d0 [ 215.606391] ? check_unmap+0xa6f/0x2360 [ 215.610237] ? report_bug+0x1ef/0x370 [ 215.613921] ? handle_bug+0x3c/0x70 [ 215.617423] ? exc_invalid_op+0x14/0x50 [ 215.621269] ? asm_exc_invalid_op+0x16/0x20 [ 215.625480] ? check_unmap+0xa6f/0x2360 [ 215.629331] ? mark_lock.part.0+0xca/0xa40 [ 215.633445] debug_dma_free_coherent+0x196/0x210 [ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10 [ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0 [ 215.648060] dma_free_attrs+0x6d/0x130 [ 215.651834] aq_ring_free+0x193/0x290 [atlantic] [ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic] ... [ 216.127540] ---[ end trace 6467e5964dd2640b ]--- [ 216.132160] DMA-API: Mapped at: [ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0 [ 216.132165] dma_alloc_attrs+0xf5/0x1b0 [ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic] [ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic] [ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-120.130 -proposed tracker (LP: #2075903)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.08.05)", "", " * Jammy update: v5.15.163 upstream stable release (LP: #2075170)", " - Compiler Attributes: Add __uninitialized macro", " - locking/mutex: Introduce devm_mutex_init()", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - crypto: aead,cipher - zeroize key buffer after use", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Check index msg_id before read or write", " - drm/amd/display: Check pipe offset before setting vblank", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - wifi: mt76: replace skb_put with skb_put_zero", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - kunit: Fix timeout message", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - igc: fix a log entry using uninitialized netdev", " - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tools/power turbostat: Remember global max_die_id", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - KVM: s390: fix LPSWEY handling", " - e1000e: Fix S0ix residency on corporate systems", " - net: allow skb_datagram_iter to be called from any context", " - wifi: wilc1000: fix ies_len type in connect path", " - riscv: kexec: Avoid deadlock in kexec crash path", " - netfilter: nf_tables: unconditionally flush pending work before notifier", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - gpiolib: of: factor out code overriding gpio line polarity", " - gpiolib: of: add a quirk for reset line polarity for Himax LCDs", " - gpiolib: of: add polarity quirk for TSC2005", " - Revert \"igc: fix a log entry using uninitialized netdev\"", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - mm: avoid overflows in dirty throttling logic", " - btrfs: fix adding block group to a reclaim list and the unused list during", " reclaim", " - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - mtd: rawnand: Ensure ECC configuration is propagated to upper layers", " - mtd: rawnand: Bypass a couple of sanity checks during NAND identification", " - mtd: rawnand: rockchip: ensure NVDDR timings are rejected", " - ima: Avoid blocking in RCU read-side critical section", " - media: dw2102: fix a potential buffer overflow", " - clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - fs/ntfs3: Mark volume as dirty if xattr is broken", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails", " - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset", " - regmap-i2c: Subtract reg size from max_write", " - platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6\"", " tablet", " - platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro", " - nvmet: fix a possible leak when destroy a ctrl during qp establishment", " - kbuild: fix short log for AS in link-vmlinux.sh", " - nfc/nci: Add the inconsistency check between the input data length and count", " - null_blk: Do not allow runt zone with zone capacity smaller then zone size", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - mm: prevent derefencing NULL ptr in pfn_section_valid()", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - skmsg: Skip zero length skb in sk_msg_recvmsg", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: fix rc7's __skb_datagram_iter()", " - i40e: Fix XDP program unloading while removing the driver", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - net: ethernet: mtk-star-emac: set mac_managed_pm when probing", " - ppp: reject claimed-as-LCP but actually malformed packets", " - ethtool: netlink: do not return SQI value if link is down", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: replace cpt slot with lf id on reg write", " - octeontx2-af: update cpt lf alloc mailbox", " - octeontx2-af: fix a issue with cpt_lf_alloc mailbox", " - octeontx2-af: fix detection of IP layer", " - octeontx2-af: extend RSS supported offload types", " - octeontx2-af: fix issue with IPv6 ext match for RSS", " - octeontx2-af: fix issue with IPv4 match for RSS", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - net: ks8851: Fix potential TX stall after interface reopen", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: serial: mos7840: fix crash on resume", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: rmem: Fix return value of rmem_read()", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - nvmem: core: only change name to fram for current attribute", " - ALSA: hda/realtek: add quirk for Clevo V5[46]0TU", " - ALSA: hda/realtek: Enable Mute LED on HP 250 G7", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - Fix userfaultfd_api to return EINVAL as expected", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - wireguard: allowedips: avoid unaligned 64-bit memory accesses", " - wireguard: queueing: annotate intentional data race in cpu round robin", " - wireguard: send: annotate intentional data race in checking empty queue", " - ipv6: annotate data-races around cnf.disable_ipv6", " - bpf: Allow reads from uninit stack", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - i2c: mark HostNotify target address as used", " - i2c: rcar: Add R-Car Gen4 support", " - i2c: rcar: reset controller is mandatory for Gen3+", " - i2c: rcar: introduce Gen4 devices", " - i2c: rcar: ensure Gen3+ reset does not disturb local targets", " - i2c: testunit: avoid re-issued work after read message", " - i2c: rcar: clear NO_RXDMA flag after resetting", " - x86/entry/64: Remove obsolete comment on tracing vs. SYSRET", " - x86/bhi: Avoid warning in #DB handler due to BHI mitigation", " - kbuild: Make ld-version.sh more robust against version string changes", " - i2c: rcar: fix error code in probe()", " - Linux 5.15.163", "", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Jammy update:", " v5.15.163 upstream stable release (LP: #2075170)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", "", " * Jammy update: v5.15.162 upstream stable release (LP: #2073765)", " - mmc: davinci_mmc: Convert to platform remove callback returning void", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: Lock wiphy in cfg80211_get_station", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - wifi: mac80211: correctly parse Spatial Reuse Parameter Set element", " - net/ncsi: Simplify Kconfig/dts control flow", " - net/ncsi: Fix the multi thread manner of NCSI driver", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - bpf: Set run context for rawtp test_run callback", " - octeontx2-af: Always allocate PF entries from low prioriy zone", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted", " peer.", " - af_unix: Annodate data-races around sk->sk_state for writers.", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - net: inline sock_prot_inuse_add()", " - net: drop nopreempt requirement on sock_prot_inuse_add()", " - af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: annotate lockless accesses to sk->sk_err", " - af_unix: Use skb_queue_empty_lockless() in unix_release_sock().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: use io_data->status consistently", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - iio: accel: mxc4005: Reset chip on probe() and resume()", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - drm/amd/display: Clean up some inconsistent indenting", " - drm/amd/display: drop unnecessary NULL checks in debugfs", " - drm/amd/display: Fix incorrect DSC instance for MST", " - pvpanic: Keep single style across modules", " - pvpanic: Indentation fixes here and there", " - misc/pvpanic: deduplicate common code", " - misc/pvpanic-pci: register attributes via pci_driver", " - skbuff: introduce skb_pull_data", " - Bluetooth: hci_qca: mark OF related data as maybe unused", " - Bluetooth: btqca: use le32_to_cpu for ver.soc_id", " - Bluetooth: btqca: Add WCN3988 support", " - Bluetooth: qca: use switch case for soc type behavior", " - Bluetooth: qca: add support for QCA2066", " - Bluetooth: qca: fix info leak when fetching fw build id", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - x86/ibt,ftrace: Search for __fentry__ location", " - ftrace: Fix possible use-after-free issue in ftrace_location()", " - i2c: add fwnode APIs", " - i2c: acpi: Unbind mux adapters before delete", " - cma: factor out minimum alignment requirement", " - mm/cma: drop incorrect alignment check in cma_init_reserved_mem", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - wifi: ath10k: fix QCOM_RPROC_COMMON dependency", " - btrfs: fix leak of qgroup extent records after transaction abort", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Handle TD clearing for multiple streams case", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - powerpc/uaccess: Fix build errors seen with GCC 13/14", " - Input: try trimming too long modalias strings", " - clk: sifive: Do not register clkdevs for PRCI clocks", " - SUNRPC: return proper error from gss_wrap_req_priv", " - platform/x86: dell-smbios-base: Use sysfs_emit()", " - platform/x86: dell-smbios: Fix wrong token data in sysfs", " - gpio: tqmx86: fix typo in Kconfig label", " - gpio: tqmx86: store IRQ trigger type and unmask status separately", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Introduce pci segment structure", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - drm/vmwgfx: 3D disabled should not effect STDU memory limits", " - net: sfp: Always call `sfp_sm_mod_remove()` on remove", " - net: hns3: fix kernel crash problem in concurrent scenario", " - net: hns3: add cond_resched() to hns3 ring buffer init process", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs", " parameters", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - af_unix: Read with MSG_PEEK loops if the first unread byte is OOB", " - iio: adc: ad9467: fix scan type sign", " - iio: dac: ad5592r: fix temperature channel scaling value", " - iio: imu: inv_icm42600: delete unneeded update watermark call", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - mptcp: ensure snd_una is properly initialized on connect", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - null_blk: Print correct max open zones limit in null_init_zoned_dev()", " - sock_map: avoid race between sock_map_close and sk_psock_put", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - spmi: hisi-spmi-controller: Do not override device identifier", " - knfsd: LOOKUP can return an illegal error value", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - scsi: mpi3mr: Fix ATA NCQ priority support", " - mm/huge_memory: don't unpoison huge_zero_folio", " - serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID", " - mptcp: pm: update add_addr counters after connect", " - kbuild: Remove support for Clang's ThinLTO caching", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - i2c: designware: Fix the functionality flags of the slave-only interface", " - zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING", " - Bluetooth: qca: Fix error code in qca_read_fw_build_info()", " - Bluetooth: qca: fix info leak when fetching board id", " - padata: Disable BH when taking works lock on MT path", " - crypto: hisilicon/sec - Fix memory leak for sec resource release", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - rcutorture: Make stall-tasks directly exit when rcutorture tests end", " - rcutorture: Fix invalid context warning when enable srcu barrier testing", " - block/ioctl: prefer different overflow check", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - selftests/bpf: Fix flaky test btf_map_in_map/lookup_update", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - wifi: ath9k: work around memset overflow warning", " - af_packet: avoid a false positive warning in packet_setsockopt()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - kselftest: arm64: Add a null pointer check", " - netpoll: Fix race condition in netpoll_owner_active", " - HID: Add quirk for Logitech Casa touchpad", " - ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - drm/amd/display: Exit idle optimizations before HDCP execution", " - drm/lima: add mask irq callback to gp and pp", " - drm/lima: mask irqs in timeout path before hard reset", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - power: supply: cros_usbpd: provide ID table for avoiding fallback match", " - iommu/arm-smmu-v3: Free MSIs in case of ENOMEM", " - f2fs: remove clear SB_INLINECRYPT flag in default_options", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - Avoid hw_desc array overrun in dw-axi-dmac", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - serial: imx: Introduce timeout when waiting on transmitter empty", " - serial: exar: adding missing CTI and Exar PCI ids", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - tracing: Build event generation tests only as modules", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - qca_spi: Make interrupt remembering atomic", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - tipc: force a dst refcount before doing decryption", " - net/sched: act_ct: set 'net' pointer when creating new nf_flow_table", " - sched: act_ct: add netns into the key of tcf_ct_flow_table", " - ptp: fix integer overflow in max_vclocks_store", " - net: stmmac: No need to calculate speed divider when offload is disabled", " - virtio_net: checksum offloading handling fix", " - octeontx2-pf: Add error handling to VLAN unoffload handling", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6", " behaviors", " - bnxt_en: Restore PTP tx_avail count in case of skb_pad() error", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list", " - dmaengine: ioat: switch from 'pci_' to 'dma_' API", " - dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting()", " - dmaengine: ioatdma: Fix leaking on version mismatch", " - dmaengine: ioat: use PCI core macros for PCIe Capability", " - dmaengine: ioatdma: Fix error path in ioat3_dma_probe()", " - dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe()", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - regulator: bd71815: fix ramp values", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - RDMA/mlx5: Add check for srq max_sge attribute", " - serial: stm32: rework RX over DMA", " - net: do not leave a dangling sk pointer, when socket creation fails", " - btrfs: retry block group reclaim without infinite loop", " - KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes", " - ALSA: hda/realtek: Limit mic boost on N14AP7", " - drm/i915/mso: using joiner is not possible with eDP MSO", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - kcov: don't lose track of remote references during softirqs", " - tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack()", " - i2c: ocores: set IACK bit after core is enabled", " - dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller", " schema", " - arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc", " - drm/amd/display: revert Exit idle optimizations before HDCP execution", " - perf: script: add raw|disasm arguments to --insn-trace option", " - perf script: Show also errors for --insn-trace option", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - rtlwifi: rtl8192de: Style clean-ups", " - wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power", " - pmdomain: ti-sci: Fix duplicate PD referrals", " - bcache: fix variable length array abuse in btree_iter", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - x86/cpu/vfm: Add new macros to work with (vendor/family/model) values", " - x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL", " - ksmbd: ignore trailing slashes in share paths", " - drm/i915/gt: Only kick the signal worker if there's been an update", " - drm/i915/gt: Disarm breadcrumbs if engines are already idle", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - riscv: mm: init: try best to use IS_ENABLED(CONFIG_64BIT) instead of #ifdef", " - riscv: fix overlap of allocated page and PTR_ERR", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - smb: client: fix deadlock in smb2_find_smb_tcon()", " - ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable", " - ACPI: x86: Force StorageD3Enable on more products", " - gve: Add RX context.", " - gve: Clear napi->skb before dev_kfree_skb_any()", " - Input: ili210x - fix ili251x_read_touch_data() return value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: use dedicated pinctrl type for RK3328", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - cifs: fix typo in module parameter enable_gcm_256", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - net: mdio: add helpers to extract clause 45 regad and devad fields", " - net: stmmac: Assign configured channel value to EXTTS event", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - ibmvnic: Free any outstanding tx skbs during scrq reset", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - xdp: Remove WARN() from __xdp_reg_mem_model()", " - tcp: Use BPF timeout setting for SYN ACK RTO", " - Fix race for duplicate reqsk on identical SYN", " - sparc: fix old compat_sys_select()", " - sparc: fix compat recv/recvfrom syscalls", " - parisc: use correct compat recv/recvfrom syscalls", " - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - vduse: validate block features only with block devices", " - vduse: Temporarily fail if control queue feature requested", " - x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - bpf: Add a check for struct bpf_fib_lookup size", " - RDMA/restrack: Fix potential invalid address access", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - crypto: ecdh - explicitly zeroize private_key", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - drm/radeon/radeon_display: Decrease the size of allocated memory", " - nvme: fixup comment for nvme RDMA Provider Type", " - drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA", " - gpio: davinci: Validate the obtained number of IRQs", " - gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)", " - x86: stop playing stack games in profile_pc()", " - parisc: use generic sys_fanotify_mark implementation", " - ocfs2: fix DIO failure due to insufficient transaction credits", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - i2c: testunit: don't erase registers after STOP", " - i2c: testunit: discard write requests while old command is running", " - iio: adc: ad7266: Fix variable checking bug", " - iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: gadget: printer: fix races against disable", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to", " avoid deadlock", " - serial: 8250_omap: Implementation of Errata i2310", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()", " - kbuild: Install dtb files as 0644 in Makefile.dtbinst", " - sh: rework sync_file_range ABI", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/amdgpu: avoid using null object of framebuffer", " - drm/i915/gt: Fix potential UAF by revoke of fence registers", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: ahci: Clean up sysfs file on error", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - syscalls: fix compat_sys_io_pgetevents_time64 usage", " - syscalls: fix sys_fanotify_mark prototype", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - drivers: fix typo in firmware/efi/memmap.c", " - efi: Correct comment on efi_memmap_alloc", " - efi: memmap: Move manipulation routines into x86 arch tree", " - efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures", " - efi/x86: Free EFI memory map only when installing a new one.", " - KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - serial: 8250_omap: Fix Errata i2310 with RX FIFO level check", " - tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()", " - Linux 5.15.162", "", " * Fix L2CAP/LE/CPU/BI-02-C bluetooth certification failure (LP: #2072858) //", " Jammy update: v5.15.162 upstream stable release (LP: #2073765)", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", "", " * net/sched: Fix conntrack use-after-free (LP: #2073092)", " - net/sched: Fix UAF when resolving a clash", "", " * Jammy update: v5.15.161 upstream stable release (LP: #2072617)", " - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs", " - tty: n_gsm: fix missing receive state reset after mode switch", " - speakup: Fix sizeof() vs ARRAY_SIZE() bug", " - serial: 8250_bcm7271: use default_mux_rate if possible", " - Revert \"r8169: don't try to disable interrupts if NAPI is, scheduled", " already\"", " - r8169: Fix possible ring buffer corruption on fragmented Tx packets.", " - ring-buffer: Fix a race between readers and resize checks", " - tools/latency-collector: Fix -Wformat-security compile warns", " - net: smc91x: Fix m68k kernel compilation for ColdFire CPU", " - nilfs2: fix unexpected freezing of nilfs_segctor_sync()", " - nilfs2: fix potential hang in nilfs_detach_log_writer()", " - fs/ntfs3: Remove max link count info display during driver init", " - fs/ntfs3: Taking DOS names into account during link counting", " - fs/ntfs3: Fix case when index is reused during tree transformation", " - fs/ntfs3: Break dir enumeration if directory contents error", " - ALSA: core: Fix NULL module pointer assignment at card init", " - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt", " class", " - dt-bindings: rockchip: grf: Add missing type to 'pcie-phy' node", " - net: usb: qmi_wwan: add Telit FN920C04 compositions", " - drm/amd/display: Set color_mgmt_changed to true on unsuspend", " - selftests: sud_test: return correct emulated syscall value on RISC-V", " - regulator: irq_helpers: duplicate IRQ name", " - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating", " - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property", " - regulator: vqmmc-ipq4019: fix module autoloading", " - ASoC: rt715: add vendor clear control register", " - ASoC: rt715-sdca: volume step modification", " - softirq: Fix suspicious RCU usage in __do_softirq()", " - ASoC: da7219-aad: fix usage of device_get_named_child_node()", " - drm/amdkfd: Flush the process wq before creating a kfd_process", " - x86/mm: Remove broken vsyscall emulation code from the page fault code", " - nvme: find numa distance only if controller has valid numa id", " - epoll: be better about file lifetimes", " - openpromfs: finish conversion to the new mount API", " - crypto: bcm - Fix pointer arithmetic", " - mm/slub, kunit: Use inverted data to corrupt kmem cache", " - firmware: raspberrypi: Use correct device for DMA mappings", " - ecryptfs: Fix buffer size for tag 66 packet", " - nilfs2: fix out-of-range warning", " - parisc: add missing export of __cmpxchg_u8()", " - crypto: ccp - drop platform ifdef checks", " - crypto: x86/nh-avx2 - add missing vzeroupper", " - crypto: x86/sha256-avx2 - add missing vzeroupper", " - crypto: x86/sha512-avx2 - add missing vzeroupper", " - s390/cio: fix tracepoint subchannel type field", " - jffs2: prevent xattr node from overflowing the eraseblock", " - soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE", " - null_blk: Fix missing mutex_destroy() at module removal", " - md: fix resync softlockup when bitmap size is less than array size", " - wifi: ath10k: poll service ready message before failing", " - x86/boot: Ignore relocations in .notes sections in walk_relocs() too", " - sched/fair: Add EAS checks before updating root_domain::overutilized", " - qed: avoid truncating work queue length", " - bpf: Pack struct bpf_fib_lookup", " - scsi: ufs: qcom: Perform read back after writing reset bit", " - scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US", " - scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0", " - scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5", " - scsi: ufs: qcom: Perform read back after writing unipro mode", " - scsi: ufs: qcom: Perform read back after writing CGC enable", " - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV", " - scsi: ufs: core: Perform read back after disabling interrupts", " - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL", " - irqchip/alpine-msi: Fix off-by-one in allocation error path", " - irqchip/loongson-pch-msi: Fix off-by-one on allocation error path", " - ACPI: disable -Wstringop-truncation", " - gfs2: Don't forget to complete delayed withdraw", " - gfs2: Fix \"ignore unlock failures after withdraw\"", " - selftests/bpf: Fix umount cgroup2 error in test_sockmap", " - cpufreq: Reorganize checks in cpufreq_offline()", " - cpufreq: Split cpufreq_offline()", " - cpufreq: Rearrange locking in cpufreq_remove_dev()", " - cpufreq: exit() callback is optional", " - net: export inet_lookup_reuseport and inet6_lookup_reuseport", " - net: remove duplicate reuseport_lookup functions", " - udp: Avoid call to compute_score on multiple sites", " - cppc_cpufreq: Fix possible null pointer dereference", " - scsi: libsas: Fix the failure of adding phy with zero-address to port", " - scsi: hpsa: Fix allocation size for Scsi_Host private data", " - x86/purgatory: Switch to the position-independent small code model", " - thermal/drivers/tsens: Fix null pointer dereference", " - wifi: ath10k: Fix an error code problem in", " ath10k_dbg_sta_write_peer_debug_trigger()", " - wifi: ath10k: populate board data for WCN3990", " - net: dsa: mv88e6xxx: Add support for model-specific pre- and post-reset", " handlers", " - net: dsa: mv88e6xxx: Avoid EEPROM timeout without EEPROM on 88E6250-family", " switches", " - tcp: avoid premature drops in tcp_add_backlog()", " - pwm: sti: Convert to platform remove callback returning void", " - pwm: sti: Prepare removing pwm_chip from driver data", " - pwm: sti: Simplify probe function using devm functions", " - net: give more chances to rcu in netdev_wait_allrefs_any()", " - macintosh/via-macii: Fix \"BUG: sleeping function called from invalid", " context\"", " - wifi: carl9170: add a proper sanity check for endpoints", " - wifi: ar5523: enable proper endpoint verification", " - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()", " - Revert \"sh: Handle calling csum_partial with misaligned data\"", " - selftests/binderfs: use the Makefile's rules, not Make's implicit rules", " - selftests/resctrl: fix clang build failure: use LOCAL_HDRS", " - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors", " - scsi: bfa: Ensure the copied buf is NUL terminated", " - scsi: qedf: Ensure the copied buf is NUL terminated", " - scsi: qla2xxx: Fix debugfs output for fw_resource_count", " - wifi: mwl8k: initialize cmd->addr[] properly", " - usb: aqc111: stop lying about skb->truesize", " - net: usb: sr9700: stop lying about skb->truesize", " - m68k: Fix spinlock race in kernel thread creation", " - m68k: mac: Fix reboot hang on Mac IIci", " - net: ipv6: fix wrong start position when receive hop-by-hop fragment", " - eth: sungem: remove .ndo_poll_controller to avoid deadlocks", " - net: ethernet: cortina: Locking fixes", " - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg", " - net: usb: smsc95xx: stop lying about skb->truesize", " - net: openvswitch: fix overwriting ct original tuple for ICMPv6", " - ipv6: sr: add missing seg6_local_exit", " - ipv6: sr: fix incorrect unregister order", " - ipv6: sr: fix invalid unregister error path", " - net/mlx5: Discard command completions in internal error", " - s390/bpf: Emit a barrier for BPF_FETCH instructions", " - mptcp: SO_KEEPALIVE: fix getsockopt support", " - printk: Let no_printk() use _printk()", " - dev_printk: Add and use dev_no_printk()", " - drm/amd/display: Fix potential index out of bounds in color transformation", " function", " - ASoC: Intel: Disable route checks for Skylake boards", " - mtd: core: Report error if first mtd_otp_size() call fails in", " mtd_otp_nvmem_add()", " - mtd: rawnand: hynix: fixed typo", " - fbdev: shmobile: fix snprintf truncation", " - ASoC: kirkwood: Fix potential NULL dereference", " - drm/meson: vclk: fix calculation of 59.94 fractional rates", " - drm/mediatek: Add 0 size check to mtk_drm_gem_obj", " - powerpc/fsl-soc: hide unused const variable", " - fbdev: sisfb: hide unused variables", " - media: ngene: Add dvb_ca_en50221_init return value check", " - media: radio-shark2: Avoid led_names truncations", " - drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference", " - media: ipu3-cio2: Use temporary storage for struct device pointer", " - media: ipu3-cio2: Request IRQ earlier", " - media: dt-bindings: ovti,ov2680: Fix the power supply names", " - fbdev: sh7760fb: allow modular build", " - media: atomisp: ssh_css: Fix a null-pointer dereference in", " load_video_binaries", " - drm/arm/malidp: fix a possible null pointer dereference", " - drm: vc4: Fix possible null pointer dereference", " - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value", " - drm/bridge: lt8912b: Don't log an error when DSI host can't be found", " - drm/bridge: lt9611: Don't log an error when DSI host can't be found", " - drm/bridge: tc358775: Don't log an error when DSI host can't be found", " - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector", " - drm/mipi-dsi: use correct return type for the DSC functions", " - RDMA/mlx5: Adding remote atomic access flag to updatable flags", " - RDMA/hns: Fix return value in hns_roce_map_mr_sg", " - RDMA/hns: Fix deadlock on SRQ async events.", " - RDMA/hns: Fix GMV table pagesize", " - RDMA/hns: Use complete parentheses in macros", " - RDMA/hns: Modify the print level of CQE error", " - clk: qcom: mmcc-msm8998: fix venus clock issue", " - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map", " - ext4: avoid excessive credit estimate in ext4_tmpfile()", " - virt: acrn: Prefer array_size and struct_size over open coded arithmetic", " - virt: acrn: stop using follow_pfn", " - drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()", " - sunrpc: removed redundant procp check", " - ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple", " - ext4: fix unit mismatch in ext4_mb_new_blocks_simple", " - ext4: try all groups in ext4_mb_new_blocks_simple", " - ext4: remove unused parameter from ext4_mb_new_blocks_simple()", " - ext4: fix potential unnitialized variable", " - SUNRPC: Fix gss_free_in_token_pages()", " - selftests/kcmp: Make the test output consistent and clear", " - selftests/kcmp: remove unused open mode", " - RDMA/IPoIB: Fix format truncation compilation errors", " - selftests: net: bridge: increase IGMP/MLD exclude timeout membership", " interval", " - net: qrtr: ns: Fix module refcnt", " - netrom: fix possible dead-lock in nr_rt_ioctl()", " - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()", " - sched/fair: Allow disabling sched_balance_newidle with", " sched_relax_domain_level", " - sched/core: Fix incorrect initialization of the 'burst' parameter in", " cpu_max_write()", " - greybus: lights: check return of get_channel_from_mode", " - f2fs: Delete f2fs_copy_page() and replace with memcpy_page()", " - f2fs: fix to wait on page writeback in __clone_blkaddrs()", " - soundwire: cadence: fix invalid PDI offset", " - dmaengine: idma64: Add check for dma_set_max_seg_size", " - firmware: dmi-id: add a release callback function", " - serial: max3100: Lock port->lock when calling uart_handle_cts_change()", " - serial: max3100: Update uart_driver_registered on driver removal", " - serial: max3100: Fix bitwise types", " - greybus: arche-ctrl: move device table to its right location", " - PCI: tegra194: Fix probe path for Endpoint mode", " - serial: sc16is7xx: add proper sched.h include for sched_set_fifo()", " - dt-bindings: PCI: rcar-pci-host: Add optional regulators", " - dt-bindings: PCI: rcar-pci-host: Add missing IOMMU properties", " - f2fs: compress: fix to relocate check condition in", " f2fs_{release,reserve}_compress_blocks()", " - f2fs: convert to use sbi directly", " - f2fs: compress: fix to relocate check condition in", " f2fs_ioc_{,de}compress_file()", " - f2fs: do not allow partial truncation on pinned file", " - f2fs: fix typos in comments", " - f2fs: fix to relocate check condition in f2fs_fallocate()", " - f2fs: fix to check pinfile flag in f2fs_move_file_range()", " - coresight: etm4x: Fix unbalanced pm_runtime_enable()", " - iio: pressure: dps310: support negative temperature values", " - coresight: etm4x: Do not hardcode IOMEM access for register restore", " - coresight: etm4x: Do not save/restore Data trace control registers", " - coresight: no-op refactor to make INSTP0 check more idiomatic", " - coresight: etm4x: Cleanup TRCIDR0 register accesses", " - coresight: etm4x: Safe access for TRCQCLTR", " - coresight: etm4x: Fix access to resource selector registers", " - fpga: region: Use standard dev_release for class driver", " - fpga: region: add owner module and take its refcount", " - microblaze: Remove gcc flag for non existing early_printk.c file", " - microblaze: Remove early printk call from cpuinfo-static.c", " - dt-bindings: pinctrl: mediatek: mt7622: fix array properties", " - watchdog: bd9576_wdt: switch to using devm_fwnode_gpiod_get()", " - watchdog: bd9576: Drop \"always-running\" property", " - usb: gadget: u_audio: Clear uac pointer when freed.", " - stm class: Fix a double free in stm_register_device()", " - ppdev: Remove usage of the deprecated ida_simple_xx() API", " - ppdev: Add an error check in register_device", " - extcon: max8997: select IRQ_DOMAIN instead of depending on it", " - PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3", " - PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3", " - f2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem", " lock", " - f2fs: fix to release node block count in error path of f2fs_new_node_page()", " - f2fs: compress: don't allow unaligned truncation on released compress inode", " - serial: sh-sci: protect invalidating RXDMA on shutdown", " - libsubcmd: Fix parse-options memory leak", " - s390/vdso: filter out mno-pic-data-is-text-relative cflag", " - s390/vdso64: filter out munaligned-symbols flag for vdso", " - s390/vdso: Generate unwind information for C modules", " - s390/vdso: Use standard stack frame layout", " - s390/ipl: Fix incorrect initialization of len fields in nvme reipl block", " - s390/ipl: Fix incorrect initialization of nvme dump block", " - s390/boot: Remove alt_stfle_fac_list from decompressor", " - Input: ims-pcu - fix printf string overflow", " - Input: ioc3kbd - convert to platform remove callback returning void", " - Input: ioc3kbd - add device table", " - mmc: sdhci_am654: Add tuning algorithm for delay chain", " - mmc: sdhci_am654: Write ITAPDLY for DDR52 timing", " - mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel", " - mmc: sdhci_am654: Add OTAP/ITAP delay enable", " - mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock", " - mmc: sdhci_am654: Fix ITAPDLY for HS400 timing", " - Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation", " - drm/msm/dsi: Print dual-DSI-adjusted pclk instead of original mode pclk", " - drm/msm/dpu: Always flush the slave INTF on the CTL", " - um: Fix return value in ubd_init()", " - um: vector: fix bpfflash parameter evaluation", " - fs/ntfs3: Use 64 bit variable to avoid 32 bit overflow", " - fs/ntfs3: Use variable length array instead of fixed size", " - drm/bridge: tc358775: fix support for jeida-18 and jeida-24", " - media: stk1160: fix bounds checking in stk1160_copy_video()", " - scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()", " - Input: cyapa - add missing input core locking to suspend/resume functions", " - media: flexcop-usb: clean up endpoint sanity checks", " - media: flexcop-usb: fix sanity check of bNumEndpoints", " - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp", " - um: Fix the -Wmissing-prototypes warning for __switch_mm", " - media: cec: cec-adap: always cancel work in cec_transmit_msg_fh", " - media: cec: cec-api: add locking in cec_release()", " - media: cec: call enable_adap on s_log_addrs", " - media: cec: abort if the current transmit was canceled", " - media: cec: correctly pass on reply results", " - media: cec: use call_op and check for !unregistered", " - media: cec-adap.c: drop activate_cnt, use state info instead", " - media: cec: core: avoid recursive cec_claim_log_addrs", " - media: cec: core: avoid confusing \"transmit timed out\" message", " - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()", " - ASoC: mediatek: mt8192: fix register configuration for tdm", " - regulator: bd71828: Don't overwrite runtime voltages", " - x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when", " UNWINDER_FRAME_POINTER=y", " - [Config] Update CONFIG_ARCH_WANT_FRAME_POINTERS", " - net: Always descend into dsa/ folder with CONFIG_NET_DSA enabled", " - ipv6: sr: fix missing sk_buff release in seg6_input_core", " - nfc: nci: Fix uninit-value in nci_rx_work", " - ASoC: tas2552: Add TX path for capturing AUDIO-OUT data", " - NFSv4: Fixup smatch warning for ambiguous return", " - sunrpc: fix NFSACL RPC retry on soft mount", " - rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL", " - af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.", " - ipv6: sr: fix memleak in seg6_hmac_init_algo", " - tcp: Fix shift-out-of-bounds in dctcp_update_alpha().", " - openvswitch: Set the skbuff pkt_type for proper pmtud support.", " - arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY", " - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails", " - riscv: stacktrace: Make walk_stackframe cross pt_regs frame", " - riscv: stacktrace: fixed walk_stackframe()", " - net: fec: avoid lock evasion when reading pps_enable", " - tls: fix missing memory barrier in tls_init", " - nfc: nci: Fix kcov check in nci_rx_work()", " - nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()", " - ice: Interpret .set_channels() input differently", " - netfilter: nfnetlink_queue: acquire rcu_read_lock() in", " instance_destroy_rcu()", " - netfilter: nft_payload: restore vlan q-in-q match support", " - spi: Don't mark message DMA mapped when no transfer in it is", " - dma-mapping: benchmark: fix node id validation", " - dma-mapping: benchmark: handle NUMA_NO_NODE correctly", " - nvmet: fix ns enable/disable possible hang", " - net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8061", " - net/mlx5e: Fix IPsec tunnel mode offload feature check", " - net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer", " exhaustion", " - dma-buf/sw-sync: don't enable IRQ from sync_print_obj()", " - bpf: Fix potential integer overflow in resolve_btfids", " - enic: Validate length of nl attributes in enic_set_vf_port", " - net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM", " - bpf: Allow delete from sockmap/sockhash only if update is allowed", " - net:fec: Add fec_enet_deinit()", " - netfilter: nft_payload: move struct nft_payload_set definition where it", " belongs", " - netfilter: nft_payload: rebuild vlan header when needed", " - netfilter: nft_payload: rebuild vlan header on h_proto access", " - netfilter: nft_payload: skbuff vlan metadata mangle support", " - netfilter: tproxy: bail out if IP has been disabled on the device", " - kconfig: fix comparison to constant symbols, 'm', 'n'", " - spi: stm32: Don't warn about spurious interrupts", " - net: ena: Add capabilities field with support for ENI stats capability", " - net: ena: Extract recurring driver reset code into a function", " - net: ena: Do not waste napi skb cache", " - net: ena: Add dynamic recycling mechanism for rx buffers", " - net: ena: Reduce lines with longer column width boundary", " - net: ena: Fix redundant device NUMA node override", " - ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound", " - hwmon: (shtc1) Fix property misspelling", " - ALSA: timer: Set lower bound of start tick time", " - KVM: x86: Don't advertise guest.MAXPHYADDR as host.MAXPHYADDR in CPUID", " - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline", " - net: ena: Fix DMA syncing in XDP path when SWIOTLB is on", " - media: cec: core: add adap_nb_transmit_canceled() callback", " - SUNRPC: Fix loop termination condition in gss_free_in_token_pages()", " - drm: Check output polling initialized before disabling", " - drm: Check polling initialized before enabling in", " drm_helper_probe_single_connector_modes", " - mmc: core: Do not force a retune before RPMB switch", " - io_uring: fail NOP if non-zero op flags is passed in", " - afs: Don't cross .backup mountpoint from backup volume", " - nilfs2: fix use-after-free of timer for log writer thread", " - mptcp: fix full TCP keep-alive support", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - net: dsa: sja1105: always enable the INCL_SRCPT option", " - net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT", " - scripts/gdb: fix SB_* constants parsing", " - sunrpc: exclude from freezer when waiting for requests:", " - f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()", " - media: lgdt3306a: Add a check against null-pointer-def", " - drm/amdgpu: add error handle to avoid out-of-bounds", " - ata: pata_legacy: make legacy_exit() work again", " - thermal/drivers/qcom/lmh: Check for SCM availability at probe", " - soc: qcom: rpmh-rsc: Enhance check for VRM in-flight request", " - ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx", " - arm64: tegra: Correct Tegra132 I2C alias", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - md/raid5: fix deadlock that raid5d() wait for itself to clear", " MD_SB_CHANGE_PENDING", " - wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU", " - wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE", " - wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path", " - arm64: dts: hi3798cv200: fix the size of GICR", " - media: mc: mark the media devnode as registered from the, start", " - media: mxl5xx: Move xpt structures off stack", " - media: v4l2-core: hold videodev_lock until dev reg, finishes", " - mmc: core: Add mmc_gpiod_set_cd_config() function", " - mmc: sdhci-acpi: Sort DMI quirks alphabetically", " - mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working", " - mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A", " - fbdev: savage: Handle err return when savagefb_check_var failed", " - drm/amdgpu/atomfirmware: add intergrated info v2.3 table", " - KVM: arm64: Fix AArch32 register narrowing on userspace write", " - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode", " - crypto: ecdsa - Fix module auto-load on add-key", " - crypto: ecrdsa - Fix module auto-load on add_key", " - crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak", " - net/ipv6: Fix route deleting failure when metric equals 0", " - net/9p: fix uninit-value in p9_client_rpc()", " - intel_th: pci: Add Meteor Lake-S CPU support", " - sparc64: Fix number of online CPUs", " - watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin", " - kdb: Fix buffer overflow during tab-complete", " - kdb: Use format-strings rather than '\\0' injection in kdb_read()", " - kdb: Fix console handling when editing and tab-completing commands", " - kdb: Merge identical case statements in kdb_read()", " - kdb: Use format-specifiers rather than memset() for padding in kdb_read()", " - net: fix __dst_negative_advice() race", " - sparc: move struct termio to asm/termios.h", " - ext4: set type of ac_groups_linear_remaining to __u32 to avoid overflow", " - ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()", " - s390/ap: Fix crash in AP internal function modify_bitmap()", " - s390/cpacf: Split and rework cpacf query functions", " - s390/cpacf: Make use of invalid opcode produce a link error", " - i3c: master: svc: fix invalidate IBI type and miss call client IBI handler", " - EDAC/igen6: Convert PCIBIOS_* return codes to errnos", " - nfs: fix undefined behavior in nfs_block_bits()", " - NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS", " - scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5", " - Linux 5.15.161", "", " * Virtualbox Guru meditation on VM start caused by kernel commit in v6.9-rc4", " (LP: #2073267)", " - SAUCE: Revert \"randomize_kstack: Improve entropy diffusion\"", "", " * CVE-2024-26921", " - inet: inet_defrag: prevent sk release while still in use", "", " * Jammy update: v5.15.162 upstream stable release (LP: #2073765) //", " CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", "", " * CVE-2024-39292", " - um: Add winch to winch_handlers before registering winch IRQ", "", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", "", " * CVE-2024-26830", " - i40e: Do not allow untrusted VF to remove administratively set MAC", "", " * CVE-2024-26680", " - net: atlantic: Fix DMA mapping for PTP hwts ring", "", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", "" ], "package": "linux", "version": "5.15.0-120.130", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2075903, 1786013, 2075170, 2074215, 2075170, 2073765, 2072858, 2073765, 2073092, 2072617, 2073267, 2073765 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:11:12 +0200" } ], "notes": "linux-headers-5.15.0-122 version '5.15.0-122.132' (source package linux version '5.15.0-122.132') was added. linux-headers-5.15.0-122 version '5.15.0-122.132' has the same source package name, linux, as removed package linux-headers-5.15.0-119. As such we can use the source package version of the removed package, '5.15.0-119.129', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.15.0-122-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-119.129", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-122.132", "version": "5.15.0-122.132" }, "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-39496", "url": "https://ubuntu.com/security/CVE-2024-39496", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-39292", "url": "https://ubuntu.com/security/CVE-2024-39292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26680", "url": "https://ubuntu.com/security/CVE-2024-26680", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: atlantic: Fix DMA mapping for PTP hwts ring Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes for PTP HWTS ring but then generic aq_ring_free() does not take this into account. Create and use a specific function to free HWTS ring to fix this issue. Trace: [ 215.351607] ------------[ cut here ]------------ [ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] [ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360 ... [ 215.581176] Call Trace: [ 215.583632] [ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df [ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df [ 215.594497] ? debug_dma_free_coherent+0x196/0x210 [ 215.599305] ? check_unmap+0xa6f/0x2360 [ 215.603147] ? __warn+0xca/0x1d0 [ 215.606391] ? check_unmap+0xa6f/0x2360 [ 215.610237] ? report_bug+0x1ef/0x370 [ 215.613921] ? handle_bug+0x3c/0x70 [ 215.617423] ? exc_invalid_op+0x14/0x50 [ 215.621269] ? asm_exc_invalid_op+0x16/0x20 [ 215.625480] ? check_unmap+0xa6f/0x2360 [ 215.629331] ? mark_lock.part.0+0xca/0xa40 [ 215.633445] debug_dma_free_coherent+0x196/0x210 [ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10 [ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0 [ 215.648060] dma_free_attrs+0x6d/0x130 [ 215.651834] aq_ring_free+0x193/0x290 [atlantic] [ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic] ... [ 216.127540] ---[ end trace 6467e5964dd2640b ]--- [ 216.132160] DMA-API: Mapped at: [ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0 [ 216.132165] dma_alloc_attrs+0xf5/0x1b0 [ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic] [ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic] [ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2078154, 2076957, 2076100, 2076347, 2076334, 2075903, 1786013, 2075170, 2074215, 2075170, 2073765, 2072858, 2073765, 2073092, 2072617, 2073267, 2073765 ], "changes": [ { "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-39496", "url": "https://ubuntu.com/security/CVE-2024-39496", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-122.132 -proposed tracker (LP: #2078154)", "", " * isolcpus are ignored when using cgroups V2, causing processes to have wrong", " affinity (LP: #2076957)", " - cgroup/cpuset: Optimize cpuset_attach() on v2", "", " * Jammy update: v5.15.164 upstream stable release (LP: #2076100) //", " CVE-2024-41009", " - bpf: Fix overrunning reservations in ringbuf", "", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", "", " * CVE-2024-39496", " - btrfs: zoned: fix use-after-free due to race with dev replace", "", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", "", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", "", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", "", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", "", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux", "version": "5.15.0-122.132", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078154, 2076957, 2076100 ], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:23:02 +0200" }, { "cves": [], "log": [ "", " * jammy/linux: 5.15.0-121.131 -proposed tracker (LP: #2076347)", "", " * jammy:linux bpf selftest do not build (LP: #2076334)", " - SAUCE: Revert \"bpf: Allow reads from uninit stack\"", "" ], "package": "linux", "version": "5.15.0-121.131", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076347, 2076334 ], "author": "Roxana Nicolescu ", "date": "Fri, 09 Aug 2024 10:15:16 +0200" }, { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-39292", "url": "https://ubuntu.com/security/CVE-2024-39292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26680", "url": "https://ubuntu.com/security/CVE-2024-26680", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: atlantic: Fix DMA mapping for PTP hwts ring Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes for PTP HWTS ring but then generic aq_ring_free() does not take this into account. Create and use a specific function to free HWTS ring to fix this issue. Trace: [ 215.351607] ------------[ cut here ]------------ [ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] [ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360 ... [ 215.581176] Call Trace: [ 215.583632] [ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df [ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df [ 215.594497] ? debug_dma_free_coherent+0x196/0x210 [ 215.599305] ? check_unmap+0xa6f/0x2360 [ 215.603147] ? __warn+0xca/0x1d0 [ 215.606391] ? check_unmap+0xa6f/0x2360 [ 215.610237] ? report_bug+0x1ef/0x370 [ 215.613921] ? handle_bug+0x3c/0x70 [ 215.617423] ? exc_invalid_op+0x14/0x50 [ 215.621269] ? asm_exc_invalid_op+0x16/0x20 [ 215.625480] ? check_unmap+0xa6f/0x2360 [ 215.629331] ? mark_lock.part.0+0xca/0xa40 [ 215.633445] debug_dma_free_coherent+0x196/0x210 [ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10 [ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0 [ 215.648060] dma_free_attrs+0x6d/0x130 [ 215.651834] aq_ring_free+0x193/0x290 [atlantic] [ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic] ... [ 216.127540] ---[ end trace 6467e5964dd2640b ]--- [ 216.132160] DMA-API: Mapped at: [ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0 [ 216.132165] dma_alloc_attrs+0xf5/0x1b0 [ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic] [ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic] [ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-120.130 -proposed tracker (LP: #2075903)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.08.05)", "", " * Jammy update: v5.15.163 upstream stable release (LP: #2075170)", " - Compiler Attributes: Add __uninitialized macro", " - locking/mutex: Introduce devm_mutex_init()", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - crypto: aead,cipher - zeroize key buffer after use", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Check index msg_id before read or write", " - drm/amd/display: Check pipe offset before setting vblank", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - wifi: mt76: replace skb_put with skb_put_zero", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - kunit: Fix timeout message", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - igc: fix a log entry using uninitialized netdev", " - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tools/power turbostat: Remember global max_die_id", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - KVM: s390: fix LPSWEY handling", " - e1000e: Fix S0ix residency on corporate systems", " - net: allow skb_datagram_iter to be called from any context", " - wifi: wilc1000: fix ies_len type in connect path", " - riscv: kexec: Avoid deadlock in kexec crash path", " - netfilter: nf_tables: unconditionally flush pending work before notifier", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - gpiolib: of: factor out code overriding gpio line polarity", " - gpiolib: of: add a quirk for reset line polarity for Himax LCDs", " - gpiolib: of: add polarity quirk for TSC2005", " - Revert \"igc: fix a log entry using uninitialized netdev\"", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - mm: avoid overflows in dirty throttling logic", " - btrfs: fix adding block group to a reclaim list and the unused list during", " reclaim", " - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - mtd: rawnand: Ensure ECC configuration is propagated to upper layers", " - mtd: rawnand: Bypass a couple of sanity checks during NAND identification", " - mtd: rawnand: rockchip: ensure NVDDR timings are rejected", " - ima: Avoid blocking in RCU read-side critical section", " - media: dw2102: fix a potential buffer overflow", " - clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - fs/ntfs3: Mark volume as dirty if xattr is broken", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails", " - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset", " - regmap-i2c: Subtract reg size from max_write", " - platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6\"", " tablet", " - platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro", " - nvmet: fix a possible leak when destroy a ctrl during qp establishment", " - kbuild: fix short log for AS in link-vmlinux.sh", " - nfc/nci: Add the inconsistency check between the input data length and count", " - null_blk: Do not allow runt zone with zone capacity smaller then zone size", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - mm: prevent derefencing NULL ptr in pfn_section_valid()", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - skmsg: Skip zero length skb in sk_msg_recvmsg", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: fix rc7's __skb_datagram_iter()", " - i40e: Fix XDP program unloading while removing the driver", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - net: ethernet: mtk-star-emac: set mac_managed_pm when probing", " - ppp: reject claimed-as-LCP but actually malformed packets", " - ethtool: netlink: do not return SQI value if link is down", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: replace cpt slot with lf id on reg write", " - octeontx2-af: update cpt lf alloc mailbox", " - octeontx2-af: fix a issue with cpt_lf_alloc mailbox", " - octeontx2-af: fix detection of IP layer", " - octeontx2-af: extend RSS supported offload types", " - octeontx2-af: fix issue with IPv6 ext match for RSS", " - octeontx2-af: fix issue with IPv4 match for RSS", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - net: ks8851: Fix potential TX stall after interface reopen", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: serial: mos7840: fix crash on resume", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: rmem: Fix return value of rmem_read()", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - nvmem: core: only change name to fram for current attribute", " - ALSA: hda/realtek: add quirk for Clevo V5[46]0TU", " - ALSA: hda/realtek: Enable Mute LED on HP 250 G7", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - Fix userfaultfd_api to return EINVAL as expected", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - wireguard: allowedips: avoid unaligned 64-bit memory accesses", " - wireguard: queueing: annotate intentional data race in cpu round robin", " - wireguard: send: annotate intentional data race in checking empty queue", " - ipv6: annotate data-races around cnf.disable_ipv6", " - bpf: Allow reads from uninit stack", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - i2c: mark HostNotify target address as used", " - i2c: rcar: Add R-Car Gen4 support", " - i2c: rcar: reset controller is mandatory for Gen3+", " - i2c: rcar: introduce Gen4 devices", " - i2c: rcar: ensure Gen3+ reset does not disturb local targets", " - i2c: testunit: avoid re-issued work after read message", " - i2c: rcar: clear NO_RXDMA flag after resetting", " - x86/entry/64: Remove obsolete comment on tracing vs. SYSRET", " - x86/bhi: Avoid warning in #DB handler due to BHI mitigation", " - kbuild: Make ld-version.sh more robust against version string changes", " - i2c: rcar: fix error code in probe()", " - Linux 5.15.163", "", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Jammy update:", " v5.15.163 upstream stable release (LP: #2075170)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", "", " * Jammy update: v5.15.162 upstream stable release (LP: #2073765)", " - mmc: davinci_mmc: Convert to platform remove callback returning void", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: Lock wiphy in cfg80211_get_station", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - wifi: mac80211: correctly parse Spatial Reuse Parameter Set element", " - net/ncsi: Simplify Kconfig/dts control flow", " - net/ncsi: Fix the multi thread manner of NCSI driver", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - bpf: Set run context for rawtp test_run callback", " - octeontx2-af: Always allocate PF entries from low prioriy zone", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted", " peer.", " - af_unix: Annodate data-races around sk->sk_state for writers.", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - net: inline sock_prot_inuse_add()", " - net: drop nopreempt requirement on sock_prot_inuse_add()", " - af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: annotate lockless accesses to sk->sk_err", " - af_unix: Use skb_queue_empty_lockless() in unix_release_sock().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: use io_data->status consistently", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - iio: accel: mxc4005: Reset chip on probe() and resume()", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - drm/amd/display: Clean up some inconsistent indenting", " - drm/amd/display: drop unnecessary NULL checks in debugfs", " - drm/amd/display: Fix incorrect DSC instance for MST", " - pvpanic: Keep single style across modules", " - pvpanic: Indentation fixes here and there", " - misc/pvpanic: deduplicate common code", " - misc/pvpanic-pci: register attributes via pci_driver", " - skbuff: introduce skb_pull_data", " - Bluetooth: hci_qca: mark OF related data as maybe unused", " - Bluetooth: btqca: use le32_to_cpu for ver.soc_id", " - Bluetooth: btqca: Add WCN3988 support", " - Bluetooth: qca: use switch case for soc type behavior", " - Bluetooth: qca: add support for QCA2066", " - Bluetooth: qca: fix info leak when fetching fw build id", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - x86/ibt,ftrace: Search for __fentry__ location", " - ftrace: Fix possible use-after-free issue in ftrace_location()", " - i2c: add fwnode APIs", " - i2c: acpi: Unbind mux adapters before delete", " - cma: factor out minimum alignment requirement", " - mm/cma: drop incorrect alignment check in cma_init_reserved_mem", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - wifi: ath10k: fix QCOM_RPROC_COMMON dependency", " - btrfs: fix leak of qgroup extent records after transaction abort", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Handle TD clearing for multiple streams case", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - powerpc/uaccess: Fix build errors seen with GCC 13/14", " - Input: try trimming too long modalias strings", " - clk: sifive: Do not register clkdevs for PRCI clocks", " - SUNRPC: return proper error from gss_wrap_req_priv", " - platform/x86: dell-smbios-base: Use sysfs_emit()", " - platform/x86: dell-smbios: Fix wrong token data in sysfs", " - gpio: tqmx86: fix typo in Kconfig label", " - gpio: tqmx86: store IRQ trigger type and unmask status separately", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Introduce pci segment structure", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - drm/vmwgfx: 3D disabled should not effect STDU memory limits", " - net: sfp: Always call `sfp_sm_mod_remove()` on remove", " - net: hns3: fix kernel crash problem in concurrent scenario", " - net: hns3: add cond_resched() to hns3 ring buffer init process", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs", " parameters", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - af_unix: Read with MSG_PEEK loops if the first unread byte is OOB", " - iio: adc: ad9467: fix scan type sign", " - iio: dac: ad5592r: fix temperature channel scaling value", " - iio: imu: inv_icm42600: delete unneeded update watermark call", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - mptcp: ensure snd_una is properly initialized on connect", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - null_blk: Print correct max open zones limit in null_init_zoned_dev()", " - sock_map: avoid race between sock_map_close and sk_psock_put", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - spmi: hisi-spmi-controller: Do not override device identifier", " - knfsd: LOOKUP can return an illegal error value", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - scsi: mpi3mr: Fix ATA NCQ priority support", " - mm/huge_memory: don't unpoison huge_zero_folio", " - serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID", " - mptcp: pm: update add_addr counters after connect", " - kbuild: Remove support for Clang's ThinLTO caching", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - i2c: designware: Fix the functionality flags of the slave-only interface", " - zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING", " - Bluetooth: qca: Fix error code in qca_read_fw_build_info()", " - Bluetooth: qca: fix info leak when fetching board id", " - padata: Disable BH when taking works lock on MT path", " - crypto: hisilicon/sec - Fix memory leak for sec resource release", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - rcutorture: Make stall-tasks directly exit when rcutorture tests end", " - rcutorture: Fix invalid context warning when enable srcu barrier testing", " - block/ioctl: prefer different overflow check", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - selftests/bpf: Fix flaky test btf_map_in_map/lookup_update", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - wifi: ath9k: work around memset overflow warning", " - af_packet: avoid a false positive warning in packet_setsockopt()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - kselftest: arm64: Add a null pointer check", " - netpoll: Fix race condition in netpoll_owner_active", " - HID: Add quirk for Logitech Casa touchpad", " - ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - drm/amd/display: Exit idle optimizations before HDCP execution", " - drm/lima: add mask irq callback to gp and pp", " - drm/lima: mask irqs in timeout path before hard reset", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - power: supply: cros_usbpd: provide ID table for avoiding fallback match", " - iommu/arm-smmu-v3: Free MSIs in case of ENOMEM", " - f2fs: remove clear SB_INLINECRYPT flag in default_options", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - Avoid hw_desc array overrun in dw-axi-dmac", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - serial: imx: Introduce timeout when waiting on transmitter empty", " - serial: exar: adding missing CTI and Exar PCI ids", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - tracing: Build event generation tests only as modules", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - qca_spi: Make interrupt remembering atomic", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - tipc: force a dst refcount before doing decryption", " - net/sched: act_ct: set 'net' pointer when creating new nf_flow_table", " - sched: act_ct: add netns into the key of tcf_ct_flow_table", " - ptp: fix integer overflow in max_vclocks_store", " - net: stmmac: No need to calculate speed divider when offload is disabled", " - virtio_net: checksum offloading handling fix", " - octeontx2-pf: Add error handling to VLAN unoffload handling", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6", " behaviors", " - bnxt_en: Restore PTP tx_avail count in case of skb_pad() error", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list", " - dmaengine: ioat: switch from 'pci_' to 'dma_' API", " - dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting()", " - dmaengine: ioatdma: Fix leaking on version mismatch", " - dmaengine: ioat: use PCI core macros for PCIe Capability", " - dmaengine: ioatdma: Fix error path in ioat3_dma_probe()", " - dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe()", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - regulator: bd71815: fix ramp values", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - RDMA/mlx5: Add check for srq max_sge attribute", " - serial: stm32: rework RX over DMA", " - net: do not leave a dangling sk pointer, when socket creation fails", " - btrfs: retry block group reclaim without infinite loop", " - KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes", " - ALSA: hda/realtek: Limit mic boost on N14AP7", " - drm/i915/mso: using joiner is not possible with eDP MSO", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - kcov: don't lose track of remote references during softirqs", " - tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack()", " - i2c: ocores: set IACK bit after core is enabled", " - dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller", " schema", " - arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc", " - drm/amd/display: revert Exit idle optimizations before HDCP execution", " - perf: script: add raw|disasm arguments to --insn-trace option", " - perf script: Show also errors for --insn-trace option", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - rtlwifi: rtl8192de: Style clean-ups", " - wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power", " - pmdomain: ti-sci: Fix duplicate PD referrals", " - bcache: fix variable length array abuse in btree_iter", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - x86/cpu/vfm: Add new macros to work with (vendor/family/model) values", " - x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL", " - ksmbd: ignore trailing slashes in share paths", " - drm/i915/gt: Only kick the signal worker if there's been an update", " - drm/i915/gt: Disarm breadcrumbs if engines are already idle", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - riscv: mm: init: try best to use IS_ENABLED(CONFIG_64BIT) instead of #ifdef", " - riscv: fix overlap of allocated page and PTR_ERR", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - smb: client: fix deadlock in smb2_find_smb_tcon()", " - ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable", " - ACPI: x86: Force StorageD3Enable on more products", " - gve: Add RX context.", " - gve: Clear napi->skb before dev_kfree_skb_any()", " - Input: ili210x - fix ili251x_read_touch_data() return value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: use dedicated pinctrl type for RK3328", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - cifs: fix typo in module parameter enable_gcm_256", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - net: mdio: add helpers to extract clause 45 regad and devad fields", " - net: stmmac: Assign configured channel value to EXTTS event", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - ibmvnic: Free any outstanding tx skbs during scrq reset", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - xdp: Remove WARN() from __xdp_reg_mem_model()", " - tcp: Use BPF timeout setting for SYN ACK RTO", " - Fix race for duplicate reqsk on identical SYN", " - sparc: fix old compat_sys_select()", " - sparc: fix compat recv/recvfrom syscalls", " - parisc: use correct compat recv/recvfrom syscalls", " - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - vduse: validate block features only with block devices", " - vduse: Temporarily fail if control queue feature requested", " - x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - bpf: Add a check for struct bpf_fib_lookup size", " - RDMA/restrack: Fix potential invalid address access", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - crypto: ecdh - explicitly zeroize private_key", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - drm/radeon/radeon_display: Decrease the size of allocated memory", " - nvme: fixup comment for nvme RDMA Provider Type", " - drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA", " - gpio: davinci: Validate the obtained number of IRQs", " - gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)", " - x86: stop playing stack games in profile_pc()", " - parisc: use generic sys_fanotify_mark implementation", " - ocfs2: fix DIO failure due to insufficient transaction credits", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - i2c: testunit: don't erase registers after STOP", " - i2c: testunit: discard write requests while old command is running", " - iio: adc: ad7266: Fix variable checking bug", " - iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: gadget: printer: fix races against disable", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to", " avoid deadlock", " - serial: 8250_omap: Implementation of Errata i2310", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()", " - kbuild: Install dtb files as 0644 in Makefile.dtbinst", " - sh: rework sync_file_range ABI", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/amdgpu: avoid using null object of framebuffer", " - drm/i915/gt: Fix potential UAF by revoke of fence registers", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: ahci: Clean up sysfs file on error", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - syscalls: fix compat_sys_io_pgetevents_time64 usage", " - syscalls: fix sys_fanotify_mark prototype", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - drivers: fix typo in firmware/efi/memmap.c", " - efi: Correct comment on efi_memmap_alloc", " - efi: memmap: Move manipulation routines into x86 arch tree", " - efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures", " - efi/x86: Free EFI memory map only when installing a new one.", " - KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - serial: 8250_omap: Fix Errata i2310 with RX FIFO level check", " - tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()", " - Linux 5.15.162", "", " * Fix L2CAP/LE/CPU/BI-02-C bluetooth certification failure (LP: #2072858) //", " Jammy update: v5.15.162 upstream stable release (LP: #2073765)", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", "", " * net/sched: Fix conntrack use-after-free (LP: #2073092)", " - net/sched: Fix UAF when resolving a clash", "", " * Jammy update: v5.15.161 upstream stable release (LP: #2072617)", " - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs", " - tty: n_gsm: fix missing receive state reset after mode switch", " - speakup: Fix sizeof() vs ARRAY_SIZE() bug", " - serial: 8250_bcm7271: use default_mux_rate if possible", " - Revert \"r8169: don't try to disable interrupts if NAPI is, scheduled", " already\"", " - r8169: Fix possible ring buffer corruption on fragmented Tx packets.", " - ring-buffer: Fix a race between readers and resize checks", " - tools/latency-collector: Fix -Wformat-security compile warns", " - net: smc91x: Fix m68k kernel compilation for ColdFire CPU", " - nilfs2: fix unexpected freezing of nilfs_segctor_sync()", " - nilfs2: fix potential hang in nilfs_detach_log_writer()", " - fs/ntfs3: Remove max link count info display during driver init", " - fs/ntfs3: Taking DOS names into account during link counting", " - fs/ntfs3: Fix case when index is reused during tree transformation", " - fs/ntfs3: Break dir enumeration if directory contents error", " - ALSA: core: Fix NULL module pointer assignment at card init", " - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt", " class", " - dt-bindings: rockchip: grf: Add missing type to 'pcie-phy' node", " - net: usb: qmi_wwan: add Telit FN920C04 compositions", " - drm/amd/display: Set color_mgmt_changed to true on unsuspend", " - selftests: sud_test: return correct emulated syscall value on RISC-V", " - regulator: irq_helpers: duplicate IRQ name", " - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating", " - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property", " - regulator: vqmmc-ipq4019: fix module autoloading", " - ASoC: rt715: add vendor clear control register", " - ASoC: rt715-sdca: volume step modification", " - softirq: Fix suspicious RCU usage in __do_softirq()", " - ASoC: da7219-aad: fix usage of device_get_named_child_node()", " - drm/amdkfd: Flush the process wq before creating a kfd_process", " - x86/mm: Remove broken vsyscall emulation code from the page fault code", " - nvme: find numa distance only if controller has valid numa id", " - epoll: be better about file lifetimes", " - openpromfs: finish conversion to the new mount API", " - crypto: bcm - Fix pointer arithmetic", " - mm/slub, kunit: Use inverted data to corrupt kmem cache", " - firmware: raspberrypi: Use correct device for DMA mappings", " - ecryptfs: Fix buffer size for tag 66 packet", " - nilfs2: fix out-of-range warning", " - parisc: add missing export of __cmpxchg_u8()", " - crypto: ccp - drop platform ifdef checks", " - crypto: x86/nh-avx2 - add missing vzeroupper", " - crypto: x86/sha256-avx2 - add missing vzeroupper", " - crypto: x86/sha512-avx2 - add missing vzeroupper", " - s390/cio: fix tracepoint subchannel type field", " - jffs2: prevent xattr node from overflowing the eraseblock", " - soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE", " - null_blk: Fix missing mutex_destroy() at module removal", " - md: fix resync softlockup when bitmap size is less than array size", " - wifi: ath10k: poll service ready message before failing", " - x86/boot: Ignore relocations in .notes sections in walk_relocs() too", " - sched/fair: Add EAS checks before updating root_domain::overutilized", " - qed: avoid truncating work queue length", " - bpf: Pack struct bpf_fib_lookup", " - scsi: ufs: qcom: Perform read back after writing reset bit", " - scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US", " - scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0", " - scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5", " - scsi: ufs: qcom: Perform read back after writing unipro mode", " - scsi: ufs: qcom: Perform read back after writing CGC enable", " - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV", " - scsi: ufs: core: Perform read back after disabling interrupts", " - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL", " - irqchip/alpine-msi: Fix off-by-one in allocation error path", " - irqchip/loongson-pch-msi: Fix off-by-one on allocation error path", " - ACPI: disable -Wstringop-truncation", " - gfs2: Don't forget to complete delayed withdraw", " - gfs2: Fix \"ignore unlock failures after withdraw\"", " - selftests/bpf: Fix umount cgroup2 error in test_sockmap", " - cpufreq: Reorganize checks in cpufreq_offline()", " - cpufreq: Split cpufreq_offline()", " - cpufreq: Rearrange locking in cpufreq_remove_dev()", " - cpufreq: exit() callback is optional", " - net: export inet_lookup_reuseport and inet6_lookup_reuseport", " - net: remove duplicate reuseport_lookup functions", " - udp: Avoid call to compute_score on multiple sites", " - cppc_cpufreq: Fix possible null pointer dereference", " - scsi: libsas: Fix the failure of adding phy with zero-address to port", " - scsi: hpsa: Fix allocation size for Scsi_Host private data", " - x86/purgatory: Switch to the position-independent small code model", " - thermal/drivers/tsens: Fix null pointer dereference", " - wifi: ath10k: Fix an error code problem in", " ath10k_dbg_sta_write_peer_debug_trigger()", " - wifi: ath10k: populate board data for WCN3990", " - net: dsa: mv88e6xxx: Add support for model-specific pre- and post-reset", " handlers", " - net: dsa: mv88e6xxx: Avoid EEPROM timeout without EEPROM on 88E6250-family", " switches", " - tcp: avoid premature drops in tcp_add_backlog()", " - pwm: sti: Convert to platform remove callback returning void", " - pwm: sti: Prepare removing pwm_chip from driver data", " - pwm: sti: Simplify probe function using devm functions", " - net: give more chances to rcu in netdev_wait_allrefs_any()", " - macintosh/via-macii: Fix \"BUG: sleeping function called from invalid", " context\"", " - wifi: carl9170: add a proper sanity check for endpoints", " - wifi: ar5523: enable proper endpoint verification", " - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()", " - Revert \"sh: Handle calling csum_partial with misaligned data\"", " - selftests/binderfs: use the Makefile's rules, not Make's implicit rules", " - selftests/resctrl: fix clang build failure: use LOCAL_HDRS", " - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors", " - scsi: bfa: Ensure the copied buf is NUL terminated", " - scsi: qedf: Ensure the copied buf is NUL terminated", " - scsi: qla2xxx: Fix debugfs output for fw_resource_count", " - wifi: mwl8k: initialize cmd->addr[] properly", " - usb: aqc111: stop lying about skb->truesize", " - net: usb: sr9700: stop lying about skb->truesize", " - m68k: Fix spinlock race in kernel thread creation", " - m68k: mac: Fix reboot hang on Mac IIci", " - net: ipv6: fix wrong start position when receive hop-by-hop fragment", " - eth: sungem: remove .ndo_poll_controller to avoid deadlocks", " - net: ethernet: cortina: Locking fixes", " - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg", " - net: usb: smsc95xx: stop lying about skb->truesize", " - net: openvswitch: fix overwriting ct original tuple for ICMPv6", " - ipv6: sr: add missing seg6_local_exit", " - ipv6: sr: fix incorrect unregister order", " - ipv6: sr: fix invalid unregister error path", " - net/mlx5: Discard command completions in internal error", " - s390/bpf: Emit a barrier for BPF_FETCH instructions", " - mptcp: SO_KEEPALIVE: fix getsockopt support", " - printk: Let no_printk() use _printk()", " - dev_printk: Add and use dev_no_printk()", " - drm/amd/display: Fix potential index out of bounds in color transformation", " function", " - ASoC: Intel: Disable route checks for Skylake boards", " - mtd: core: Report error if first mtd_otp_size() call fails in", " mtd_otp_nvmem_add()", " - mtd: rawnand: hynix: fixed typo", " - fbdev: shmobile: fix snprintf truncation", " - ASoC: kirkwood: Fix potential NULL dereference", " - drm/meson: vclk: fix calculation of 59.94 fractional rates", " - drm/mediatek: Add 0 size check to mtk_drm_gem_obj", " - powerpc/fsl-soc: hide unused const variable", " - fbdev: sisfb: hide unused variables", " - media: ngene: Add dvb_ca_en50221_init return value check", " - media: radio-shark2: Avoid led_names truncations", " - drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference", " - media: ipu3-cio2: Use temporary storage for struct device pointer", " - media: ipu3-cio2: Request IRQ earlier", " - media: dt-bindings: ovti,ov2680: Fix the power supply names", " - fbdev: sh7760fb: allow modular build", " - media: atomisp: ssh_css: Fix a null-pointer dereference in", " load_video_binaries", " - drm/arm/malidp: fix a possible null pointer dereference", " - drm: vc4: Fix possible null pointer dereference", " - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value", " - drm/bridge: lt8912b: Don't log an error when DSI host can't be found", " - drm/bridge: lt9611: Don't log an error when DSI host can't be found", " - drm/bridge: tc358775: Don't log an error when DSI host can't be found", " - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector", " - drm/mipi-dsi: use correct return type for the DSC functions", " - RDMA/mlx5: Adding remote atomic access flag to updatable flags", " - RDMA/hns: Fix return value in hns_roce_map_mr_sg", " - RDMA/hns: Fix deadlock on SRQ async events.", " - RDMA/hns: Fix GMV table pagesize", " - RDMA/hns: Use complete parentheses in macros", " - RDMA/hns: Modify the print level of CQE error", " - clk: qcom: mmcc-msm8998: fix venus clock issue", " - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map", " - ext4: avoid excessive credit estimate in ext4_tmpfile()", " - virt: acrn: Prefer array_size and struct_size over open coded arithmetic", " - virt: acrn: stop using follow_pfn", " - drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()", " - sunrpc: removed redundant procp check", " - ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple", " - ext4: fix unit mismatch in ext4_mb_new_blocks_simple", " - ext4: try all groups in ext4_mb_new_blocks_simple", " - ext4: remove unused parameter from ext4_mb_new_blocks_simple()", " - ext4: fix potential unnitialized variable", " - SUNRPC: Fix gss_free_in_token_pages()", " - selftests/kcmp: Make the test output consistent and clear", " - selftests/kcmp: remove unused open mode", " - RDMA/IPoIB: Fix format truncation compilation errors", " - selftests: net: bridge: increase IGMP/MLD exclude timeout membership", " interval", " - net: qrtr: ns: Fix module refcnt", " - netrom: fix possible dead-lock in nr_rt_ioctl()", " - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()", " - sched/fair: Allow disabling sched_balance_newidle with", " sched_relax_domain_level", " - sched/core: Fix incorrect initialization of the 'burst' parameter in", " cpu_max_write()", " - greybus: lights: check return of get_channel_from_mode", " - f2fs: Delete f2fs_copy_page() and replace with memcpy_page()", " - f2fs: fix to wait on page writeback in __clone_blkaddrs()", " - soundwire: cadence: fix invalid PDI offset", " - dmaengine: idma64: Add check for dma_set_max_seg_size", " - firmware: dmi-id: add a release callback function", " - serial: max3100: Lock port->lock when calling uart_handle_cts_change()", " - serial: max3100: Update uart_driver_registered on driver removal", " - serial: max3100: Fix bitwise types", " - greybus: arche-ctrl: move device table to its right location", " - PCI: tegra194: Fix probe path for Endpoint mode", " - serial: sc16is7xx: add proper sched.h include for sched_set_fifo()", " - dt-bindings: PCI: rcar-pci-host: Add optional regulators", " - dt-bindings: PCI: rcar-pci-host: Add missing IOMMU properties", " - f2fs: compress: fix to relocate check condition in", " f2fs_{release,reserve}_compress_blocks()", " - f2fs: convert to use sbi directly", " - f2fs: compress: fix to relocate check condition in", " f2fs_ioc_{,de}compress_file()", " - f2fs: do not allow partial truncation on pinned file", " - f2fs: fix typos in comments", " - f2fs: fix to relocate check condition in f2fs_fallocate()", " - f2fs: fix to check pinfile flag in f2fs_move_file_range()", " - coresight: etm4x: Fix unbalanced pm_runtime_enable()", " - iio: pressure: dps310: support negative temperature values", " - coresight: etm4x: Do not hardcode IOMEM access for register restore", " - coresight: etm4x: Do not save/restore Data trace control registers", " - coresight: no-op refactor to make INSTP0 check more idiomatic", " - coresight: etm4x: Cleanup TRCIDR0 register accesses", " - coresight: etm4x: Safe access for TRCQCLTR", " - coresight: etm4x: Fix access to resource selector registers", " - fpga: region: Use standard dev_release for class driver", " - fpga: region: add owner module and take its refcount", " - microblaze: Remove gcc flag for non existing early_printk.c file", " - microblaze: Remove early printk call from cpuinfo-static.c", " - dt-bindings: pinctrl: mediatek: mt7622: fix array properties", " - watchdog: bd9576_wdt: switch to using devm_fwnode_gpiod_get()", " - watchdog: bd9576: Drop \"always-running\" property", " - usb: gadget: u_audio: Clear uac pointer when freed.", " - stm class: Fix a double free in stm_register_device()", " - ppdev: Remove usage of the deprecated ida_simple_xx() API", " - ppdev: Add an error check in register_device", " - extcon: max8997: select IRQ_DOMAIN instead of depending on it", " - PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3", " - PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3", " - f2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem", " lock", " - f2fs: fix to release node block count in error path of f2fs_new_node_page()", " - f2fs: compress: don't allow unaligned truncation on released compress inode", " - serial: sh-sci: protect invalidating RXDMA on shutdown", " - libsubcmd: Fix parse-options memory leak", " - s390/vdso: filter out mno-pic-data-is-text-relative cflag", " - s390/vdso64: filter out munaligned-symbols flag for vdso", " - s390/vdso: Generate unwind information for C modules", " - s390/vdso: Use standard stack frame layout", " - s390/ipl: Fix incorrect initialization of len fields in nvme reipl block", " - s390/ipl: Fix incorrect initialization of nvme dump block", " - s390/boot: Remove alt_stfle_fac_list from decompressor", " - Input: ims-pcu - fix printf string overflow", " - Input: ioc3kbd - convert to platform remove callback returning void", " - Input: ioc3kbd - add device table", " - mmc: sdhci_am654: Add tuning algorithm for delay chain", " - mmc: sdhci_am654: Write ITAPDLY for DDR52 timing", " - mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel", " - mmc: sdhci_am654: Add OTAP/ITAP delay enable", " - mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock", " - mmc: sdhci_am654: Fix ITAPDLY for HS400 timing", " - Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation", " - drm/msm/dsi: Print dual-DSI-adjusted pclk instead of original mode pclk", " - drm/msm/dpu: Always flush the slave INTF on the CTL", " - um: Fix return value in ubd_init()", " - um: vector: fix bpfflash parameter evaluation", " - fs/ntfs3: Use 64 bit variable to avoid 32 bit overflow", " - fs/ntfs3: Use variable length array instead of fixed size", " - drm/bridge: tc358775: fix support for jeida-18 and jeida-24", " - media: stk1160: fix bounds checking in stk1160_copy_video()", " - scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()", " - Input: cyapa - add missing input core locking to suspend/resume functions", " - media: flexcop-usb: clean up endpoint sanity checks", " - media: flexcop-usb: fix sanity check of bNumEndpoints", " - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp", " - um: Fix the -Wmissing-prototypes warning for __switch_mm", " - media: cec: cec-adap: always cancel work in cec_transmit_msg_fh", " - media: cec: cec-api: add locking in cec_release()", " - media: cec: call enable_adap on s_log_addrs", " - media: cec: abort if the current transmit was canceled", " - media: cec: correctly pass on reply results", " - media: cec: use call_op and check for !unregistered", " - media: cec-adap.c: drop activate_cnt, use state info instead", " - media: cec: core: avoid recursive cec_claim_log_addrs", " - media: cec: core: avoid confusing \"transmit timed out\" message", " - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()", " - ASoC: mediatek: mt8192: fix register configuration for tdm", " - regulator: bd71828: Don't overwrite runtime voltages", " - x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when", " UNWINDER_FRAME_POINTER=y", " - [Config] Update CONFIG_ARCH_WANT_FRAME_POINTERS", " - net: Always descend into dsa/ folder with CONFIG_NET_DSA enabled", " - ipv6: sr: fix missing sk_buff release in seg6_input_core", " - nfc: nci: Fix uninit-value in nci_rx_work", " - ASoC: tas2552: Add TX path for capturing AUDIO-OUT data", " - NFSv4: Fixup smatch warning for ambiguous return", " - sunrpc: fix NFSACL RPC retry on soft mount", " - rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL", " - af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.", " - ipv6: sr: fix memleak in seg6_hmac_init_algo", " - tcp: Fix shift-out-of-bounds in dctcp_update_alpha().", " - openvswitch: Set the skbuff pkt_type for proper pmtud support.", " - arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY", " - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails", " - riscv: stacktrace: Make walk_stackframe cross pt_regs frame", " - riscv: stacktrace: fixed walk_stackframe()", " - net: fec: avoid lock evasion when reading pps_enable", " - tls: fix missing memory barrier in tls_init", " - nfc: nci: Fix kcov check in nci_rx_work()", " - nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()", " - ice: Interpret .set_channels() input differently", " - netfilter: nfnetlink_queue: acquire rcu_read_lock() in", " instance_destroy_rcu()", " - netfilter: nft_payload: restore vlan q-in-q match support", " - spi: Don't mark message DMA mapped when no transfer in it is", " - dma-mapping: benchmark: fix node id validation", " - dma-mapping: benchmark: handle NUMA_NO_NODE correctly", " - nvmet: fix ns enable/disable possible hang", " - net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8061", " - net/mlx5e: Fix IPsec tunnel mode offload feature check", " - net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer", " exhaustion", " - dma-buf/sw-sync: don't enable IRQ from sync_print_obj()", " - bpf: Fix potential integer overflow in resolve_btfids", " - enic: Validate length of nl attributes in enic_set_vf_port", " - net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM", " - bpf: Allow delete from sockmap/sockhash only if update is allowed", " - net:fec: Add fec_enet_deinit()", " - netfilter: nft_payload: move struct nft_payload_set definition where it", " belongs", " - netfilter: nft_payload: rebuild vlan header when needed", " - netfilter: nft_payload: rebuild vlan header on h_proto access", " - netfilter: nft_payload: skbuff vlan metadata mangle support", " - netfilter: tproxy: bail out if IP has been disabled on the device", " - kconfig: fix comparison to constant symbols, 'm', 'n'", " - spi: stm32: Don't warn about spurious interrupts", " - net: ena: Add capabilities field with support for ENI stats capability", " - net: ena: Extract recurring driver reset code into a function", " - net: ena: Do not waste napi skb cache", " - net: ena: Add dynamic recycling mechanism for rx buffers", " - net: ena: Reduce lines with longer column width boundary", " - net: ena: Fix redundant device NUMA node override", " - ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound", " - hwmon: (shtc1) Fix property misspelling", " - ALSA: timer: Set lower bound of start tick time", " - KVM: x86: Don't advertise guest.MAXPHYADDR as host.MAXPHYADDR in CPUID", " - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline", " - net: ena: Fix DMA syncing in XDP path when SWIOTLB is on", " - media: cec: core: add adap_nb_transmit_canceled() callback", " - SUNRPC: Fix loop termination condition in gss_free_in_token_pages()", " - drm: Check output polling initialized before disabling", " - drm: Check polling initialized before enabling in", " drm_helper_probe_single_connector_modes", " - mmc: core: Do not force a retune before RPMB switch", " - io_uring: fail NOP if non-zero op flags is passed in", " - afs: Don't cross .backup mountpoint from backup volume", " - nilfs2: fix use-after-free of timer for log writer thread", " - mptcp: fix full TCP keep-alive support", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - net: dsa: sja1105: always enable the INCL_SRCPT option", " - net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT", " - scripts/gdb: fix SB_* constants parsing", " - sunrpc: exclude from freezer when waiting for requests:", " - f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()", " - media: lgdt3306a: Add a check against null-pointer-def", " - drm/amdgpu: add error handle to avoid out-of-bounds", " - ata: pata_legacy: make legacy_exit() work again", " - thermal/drivers/qcom/lmh: Check for SCM availability at probe", " - soc: qcom: rpmh-rsc: Enhance check for VRM in-flight request", " - ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx", " - arm64: tegra: Correct Tegra132 I2C alias", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - md/raid5: fix deadlock that raid5d() wait for itself to clear", " MD_SB_CHANGE_PENDING", " - wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU", " - wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE", " - wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path", " - arm64: dts: hi3798cv200: fix the size of GICR", " - media: mc: mark the media devnode as registered from the, start", " - media: mxl5xx: Move xpt structures off stack", " - media: v4l2-core: hold videodev_lock until dev reg, finishes", " - mmc: core: Add mmc_gpiod_set_cd_config() function", " - mmc: sdhci-acpi: Sort DMI quirks alphabetically", " - mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working", " - mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A", " - fbdev: savage: Handle err return when savagefb_check_var failed", " - drm/amdgpu/atomfirmware: add intergrated info v2.3 table", " - KVM: arm64: Fix AArch32 register narrowing on userspace write", " - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode", " - crypto: ecdsa - Fix module auto-load on add-key", " - crypto: ecrdsa - Fix module auto-load on add_key", " - crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak", " - net/ipv6: Fix route deleting failure when metric equals 0", " - net/9p: fix uninit-value in p9_client_rpc()", " - intel_th: pci: Add Meteor Lake-S CPU support", " - sparc64: Fix number of online CPUs", " - watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin", " - kdb: Fix buffer overflow during tab-complete", " - kdb: Use format-strings rather than '\\0' injection in kdb_read()", " - kdb: Fix console handling when editing and tab-completing commands", " - kdb: Merge identical case statements in kdb_read()", " - kdb: Use format-specifiers rather than memset() for padding in kdb_read()", " - net: fix __dst_negative_advice() race", " - sparc: move struct termio to asm/termios.h", " - ext4: set type of ac_groups_linear_remaining to __u32 to avoid overflow", " - ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()", " - s390/ap: Fix crash in AP internal function modify_bitmap()", " - s390/cpacf: Split and rework cpacf query functions", " - s390/cpacf: Make use of invalid opcode produce a link error", " - i3c: master: svc: fix invalidate IBI type and miss call client IBI handler", " - EDAC/igen6: Convert PCIBIOS_* return codes to errnos", " - nfs: fix undefined behavior in nfs_block_bits()", " - NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS", " - scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5", " - Linux 5.15.161", "", " * Virtualbox Guru meditation on VM start caused by kernel commit in v6.9-rc4", " (LP: #2073267)", " - SAUCE: Revert \"randomize_kstack: Improve entropy diffusion\"", "", " * CVE-2024-26921", " - inet: inet_defrag: prevent sk release while still in use", "", " * Jammy update: v5.15.162 upstream stable release (LP: #2073765) //", " CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", "", " * CVE-2024-39292", " - um: Add winch to winch_handlers before registering winch IRQ", "", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", "", " * CVE-2024-26830", " - i40e: Do not allow untrusted VF to remove administratively set MAC", "", " * CVE-2024-26680", " - net: atlantic: Fix DMA mapping for PTP hwts ring", "", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", "" ], "package": "linux", "version": "5.15.0-120.130", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2075903, 1786013, 2075170, 2074215, 2075170, 2073765, 2072858, 2073765, 2073092, 2072617, 2073267, 2073765 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:11:12 +0200" } ], "notes": "linux-headers-5.15.0-122-generic version '5.15.0-122.132' (source package linux version '5.15.0-122.132') was added. linux-headers-5.15.0-122-generic version '5.15.0-122.132' has the same source package name, linux, as removed package linux-headers-5.15.0-119. As such we can use the source package version of the removed package, '5.15.0-119.129', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.15.0-122-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-119.129", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-122.132", "version": "5.15.0-122.132" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.15.0-122.132", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-122.132", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:47:33 +0200" }, { "cves": [], "log": [ "", " * Main version: 5.15.0-121.131", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-121.131", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Roxana Nicolescu ", "date": "Fri, 09 Aug 2024 10:16:05 +0200" }, { "cves": [], "log": [ "", " * Main version: 5.15.0-120.130", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.15.0-120.130", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1786013 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:12:17 +0200" } ], "notes": "linux-image-5.15.0-122-generic version '5.15.0-122.132' (source package linux-signed version '5.15.0-122.132') was added. linux-image-5.15.0-122-generic version '5.15.0-122.132' has the same source package name, linux-signed, as removed package linux-image-5.15.0-119-generic. As such we can use the source package version of the removed package, '5.15.0-119.129', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.15.0-122-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-119.129", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.15.0-122.132", "version": "5.15.0-122.132" }, "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-39496", "url": "https://ubuntu.com/security/CVE-2024-39496", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-39292", "url": "https://ubuntu.com/security/CVE-2024-39292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26680", "url": "https://ubuntu.com/security/CVE-2024-26680", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: atlantic: Fix DMA mapping for PTP hwts ring Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes for PTP HWTS ring but then generic aq_ring_free() does not take this into account. Create and use a specific function to free HWTS ring to fix this issue. Trace: [ 215.351607] ------------[ cut here ]------------ [ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] [ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360 ... [ 215.581176] Call Trace: [ 215.583632] [ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df [ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df [ 215.594497] ? debug_dma_free_coherent+0x196/0x210 [ 215.599305] ? check_unmap+0xa6f/0x2360 [ 215.603147] ? __warn+0xca/0x1d0 [ 215.606391] ? check_unmap+0xa6f/0x2360 [ 215.610237] ? report_bug+0x1ef/0x370 [ 215.613921] ? handle_bug+0x3c/0x70 [ 215.617423] ? exc_invalid_op+0x14/0x50 [ 215.621269] ? asm_exc_invalid_op+0x16/0x20 [ 215.625480] ? check_unmap+0xa6f/0x2360 [ 215.629331] ? mark_lock.part.0+0xca/0xa40 [ 215.633445] debug_dma_free_coherent+0x196/0x210 [ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10 [ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0 [ 215.648060] dma_free_attrs+0x6d/0x130 [ 215.651834] aq_ring_free+0x193/0x290 [atlantic] [ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic] ... [ 216.127540] ---[ end trace 6467e5964dd2640b ]--- [ 216.132160] DMA-API: Mapped at: [ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0 [ 216.132165] dma_alloc_attrs+0xf5/0x1b0 [ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic] [ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic] [ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2078154, 2076957, 2076100, 2076347, 2076334, 2075903, 1786013, 2075170, 2074215, 2075170, 2073765, 2072858, 2073765, 2073092, 2072617, 2073267, 2073765 ], "changes": [ { "cves": [ { "cve": "CVE-2024-41009", "url": "https://ubuntu.com/security/CVE-2024-41009", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data reserved by all producers. Each time a record is reserved, the producer that \"owns\" the record will successfully advance producer counter. In user space each time a record is read, the consumer of the data advanced the consumer counter once it finished processing. Both counters are stored in separate pages so that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect that simplifies and thus speeds up the implementation of both producers and consumers is how the data area is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures for samples that have to wrap around at the end of the circular buffer data area, because the next page after the last data page would be first data page again, and thus the sample will still appear completely contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the first chunk and as a result, the BPF program is now able to edit first chunk's header. For example, consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos - cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit [0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and [0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit slower on some benchmarks, it is still not significantly enough to matter.", "cve_priority": "medium", "cve_public_date": "2024-07-17 07:15:00 UTC" }, { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-39496", "url": "https://ubuntu.com/security/CVE-2024-39496", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: fix use-after-free due to race with dev replace While loading a zone's info during creation of a block group, we can race with a device replace operation and then trigger a use-after-free on the device that was just replaced (source device of the replace operation). This happens because at btrfs_load_zone_info() we extract a device from the chunk map into a local variable and then use the device while not under the protection of the device replace rwsem. So if there's a device replace operation happening when we extract the device and that device is the source of the replace operation, we will trigger a use-after-free if before we finish using the device the replace operation finishes and frees the device. Fix this by enlarging the critical section under the protection of the device replace rwsem so that all uses of the device are done inside the critical section.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-122.132 -proposed tracker (LP: #2078154)", "", " * isolcpus are ignored when using cgroups V2, causing processes to have wrong", " affinity (LP: #2076957)", " - cgroup/cpuset: Optimize cpuset_attach() on v2", "", " * Jammy update: v5.15.164 upstream stable release (LP: #2076100) //", " CVE-2024-41009", " - bpf: Fix overrunning reservations in ringbuf", "", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", "", " * CVE-2024-39496", " - btrfs: zoned: fix use-after-free due to race with dev replace", "", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", "", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", "", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", "", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", "", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux", "version": "5.15.0-122.132", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2078154, 2076957, 2076100 ], "author": "Manuel Diewald ", "date": "Thu, 29 Aug 2024 14:23:02 +0200" }, { "cves": [], "log": [ "", " * jammy/linux: 5.15.0-121.131 -proposed tracker (LP: #2076347)", "", " * jammy:linux bpf selftest do not build (LP: #2076334)", " - SAUCE: Revert \"bpf: Allow reads from uninit stack\"", "" ], "package": "linux", "version": "5.15.0-121.131", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2076347, 2076334 ], "author": "Roxana Nicolescu ", "date": "Fri, 09 Aug 2024 10:15:16 +0200" }, { "cves": [ { "cve": "CVE-2024-26921", "url": "https://ubuntu.com/security/CVE-2024-26921", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: inet: inet_defrag: prevent sk release while still in use ip_local_out() and other functions can pass skb->sk as function argument. If the skb is a fragment and reassembly happens before such function call returns, the sk must not be released. This affects skb fragments reassembled via netfilter or similar modules, e.g. openvswitch or ct_act.c, when run as part of tx pipeline. Eric Dumazet made an initial analysis of this bug. Quoting Eric: Calling ip_defrag() in output path is also implying skb_orphan(), which is buggy because output path relies on sk not disappearing. A relevant old patch about the issue was : 8282f27449bf (\"inet: frag: Always orphan skbs inside ip_defrag()\") [..] net/ipv4/ip_output.c depends on skb->sk being set, and probably to an inet socket, not an arbitrary one. If we orphan the packet in ipvlan, then downstream things like FQ packet scheduler will not work properly. We need to change ip_defrag() to only use skb_orphan() when really needed, ie whenever frag_list is going to be used. Eric suggested to stash sk in fragment queue and made an initial patch. However there is a problem with this: If skb is refragmented again right after, ip_do_fragment() will copy head->sk to the new fragments, and sets up destructor to sock_wfree. IOW, we have no choice but to fix up sk_wmem accouting to reflect the fully reassembled skb, else wmem will underflow. This change moves the orphan down into the core, to last possible moment. As ip_defrag_offset is aliased with sk_buff->sk member, we must move the offset into the FRAG_CB, else skb->sk gets clobbered. This allows to delay the orphaning long enough to learn if the skb has to be queued or if the skb is completing the reasm queue. In the former case, things work as before, skb is orphaned. This is safe because skb gets queued/stolen and won't continue past reasm engine. In the latter case, we will steal the skb->sk reference, reattach it to the head skb, and fix up wmem accouting when inet_frag inflates truesize.", "cve_priority": "high", "cve_public_date": "2024-04-18 10:15:00 UTC" }, { "cve": "CVE-2024-39484", "url": "https://ubuntu.com/security/CVE-2024-39484", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback being discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g. using sysfs or hotplug), the driver is just removed without the cleanup being performed. This results in resource leaks. Fix it by compiling in the remove callback unconditionally. This also fixes a W=1 modpost warning: WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in reference: davinci_mmcsd_driver+0x10 (section: .data) -> davinci_mmcsd_remove (section: .exit.text)", "cve_priority": "medium", "cve_public_date": "2024-07-05 07:15:00 UTC" }, { "cve": "CVE-2024-39292", "url": "https://ubuntu.com/security/CVE-2024-39292", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails.", "cve_priority": "medium", "cve_public_date": "2024-06-24 14:15:00 UTC" }, { "cve": "CVE-2024-36901", "url": "https://ubuntu.com/security/CVE-2024-36901", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev() returns NULL in ip6_output(). Most places in IPv6 stack deal with a NULL idev just fine, but not here. syzbot reported: general protection fault, probably for non-canonical address 0xdffffc00000000bc: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x00000000000005e0-0x00000000000005e7] CPU: 0 PID: 9775 Comm: syz-executor.4 Not tainted 6.9.0-rc5-syzkaller-00157-g6a30653b604a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:ip6_output+0x231/0x3f0 net/ipv6/ip6_output.c:237 Code: 3c 1e 00 49 89 df 74 08 4c 89 ef e8 19 58 db f7 48 8b 44 24 20 49 89 45 00 49 89 c5 48 8d 9d e0 05 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 38 84 c0 4c 8b 74 24 28 0f 85 61 01 00 00 8b 1b 31 ff RSP: 0018:ffffc9000927f0d8 EFLAGS: 00010202 RAX: 00000000000000bc RBX: 00000000000005e0 RCX: 0000000000040000 RDX: ffffc900131f9000 RSI: 0000000000004f47 RDI: 0000000000004f48 RBP: 0000000000000000 R08: ffffffff8a1f0b9a R09: 1ffffffff1f51fad R10: dffffc0000000000 R11: fffffbfff1f51fae R12: ffff8880293ec8c0 R13: ffff88805d7fc000 R14: 1ffff1100527d91a R15: dffffc0000000000 FS: 00007f135c6856c0(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000064096000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0xefe/0x17f0 net/ipv6/ip6_output.c:358 sctp_v6_xmit+0x9f2/0x13f0 net/sctp/ipv6.c:248 sctp_packet_transmit+0x26ad/0x2ca0 net/sctp/output.c:653 sctp_packet_singleton+0x22c/0x320 net/sctp/outqueue.c:783 sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline] sctp_outq_flush+0x6d5/0x3e20 net/sctp/outqueue.c:1212 sctp_side_effects net/sctp/sm_sideeffect.c:1198 [inline] sctp_do_sm+0x59cc/0x60c0 net/sctp/sm_sideeffect.c:1169 sctp_primitive_ASSOCIATE+0x95/0xc0 net/sctp/primitive.c:73 __sctp_connect+0x9cd/0xe30 net/sctp/socket.c:1234 sctp_connect net/sctp/socket.c:4819 [inline] sctp_inet_connect+0x149/0x1f0 net/sctp/socket.c:4834 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2df/0x310 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f", "cve_priority": "medium", "cve_public_date": "2024-05-30 16:15:00 UTC" }, { "cve": "CVE-2024-26830", "url": "https://ubuntu.com/security/CVE-2024-26830", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: i40e: Do not allow untrusted VF to remove administratively set MAC Currently when PF administratively sets VF's MAC address and the VF is put down (VF tries to delete all MACs) then the MAC is removed from MAC filters and primary VF MAC is zeroed. Do not allow untrusted VF to remove primary MAC when it was set administratively by PF. Reproducer: 1) Create VF 2) Set VF interface up 3) Administratively set the VF's MAC 4) Put VF interface down [root@host ~]# echo 1 > /sys/class/net/enp2s0f0/device/sriov_numvfs [root@host ~]# ip link set enp2s0f0v0 up [root@host ~]# ip link set enp2s0f0 vf 0 mac fe:6c:b5:da:c7:7d [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether fe:6c:b5:da:c7:7d brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off [root@host ~]# ip link set enp2s0f0v0 down [root@host ~]# ip link show enp2s0f0 23: enp2s0f0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 3c:ec:ef:b7:dd:04 brd ff:ff:ff:ff:ff:ff vf 0 link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff, spoof checking on, link-state auto, trust off", "cve_priority": "medium", "cve_public_date": "2024-04-17 10:15:00 UTC" }, { "cve": "CVE-2024-26680", "url": "https://ubuntu.com/security/CVE-2024-26680", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: net: atlantic: Fix DMA mapping for PTP hwts ring Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytes for PTP HWTS ring but then generic aq_ring_free() does not take this into account. Create and use a specific function to free HWTS ring to fix this issue. Trace: [ 215.351607] ------------[ cut here ]------------ [ 215.351612] DMA-API: atlantic 0000:4b:00.0: device driver frees DMA memory with different size [device address=0x00000000fbdd0000] [map size=34816 bytes] [unmap size=32768 bytes] [ 215.351635] WARNING: CPU: 33 PID: 10759 at kernel/dma/debug.c:988 check_unmap+0xa6f/0x2360 ... [ 215.581176] Call Trace: [ 215.583632] [ 215.585745] ? show_trace_log_lvl+0x1c4/0x2df [ 215.590114] ? show_trace_log_lvl+0x1c4/0x2df [ 215.594497] ? debug_dma_free_coherent+0x196/0x210 [ 215.599305] ? check_unmap+0xa6f/0x2360 [ 215.603147] ? __warn+0xca/0x1d0 [ 215.606391] ? check_unmap+0xa6f/0x2360 [ 215.610237] ? report_bug+0x1ef/0x370 [ 215.613921] ? handle_bug+0x3c/0x70 [ 215.617423] ? exc_invalid_op+0x14/0x50 [ 215.621269] ? asm_exc_invalid_op+0x16/0x20 [ 215.625480] ? check_unmap+0xa6f/0x2360 [ 215.629331] ? mark_lock.part.0+0xca/0xa40 [ 215.633445] debug_dma_free_coherent+0x196/0x210 [ 215.638079] ? __pfx_debug_dma_free_coherent+0x10/0x10 [ 215.643242] ? slab_free_freelist_hook+0x11d/0x1d0 [ 215.648060] dma_free_attrs+0x6d/0x130 [ 215.651834] aq_ring_free+0x193/0x290 [atlantic] [ 215.656487] aq_ptp_ring_free+0x67/0x110 [atlantic] ... [ 216.127540] ---[ end trace 6467e5964dd2640b ]--- [ 216.132160] DMA-API: Mapped at: [ 216.132162] debug_dma_alloc_coherent+0x66/0x2f0 [ 216.132165] dma_alloc_attrs+0xf5/0x1b0 [ 216.132168] aq_ring_hwts_rx_alloc+0x150/0x1f0 [atlantic] [ 216.132193] aq_ptp_ring_alloc+0x1bb/0x540 [atlantic] [ 216.132213] aq_nic_init+0x4a1/0x760 [atlantic]", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" }, { "cve": "CVE-2023-52760", "url": "https://ubuntu.com/security/CVE-2023-52760", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in gfs2_qd_dealloc In gfs2_put_super(), whether withdrawn or not, the quota should be cleaned up by gfs2_quota_cleanup(). Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects, resulting in use-after-free. Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling gfs2_make_fs_ro(), there is no need to call them again.", "cve_priority": "medium", "cve_public_date": "2024-05-21 16:15:00 UTC" }, { "cve": "CVE-2023-52629", "url": "https://ubuntu.com/security/CVE-2023-52629", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: sh: push-switch: Reorder cleanup operations to avoid use-after-free bug The original code puts flush_work() before timer_shutdown_sync() in switch_drv_remove(). Although we use flush_work() to stop the worker, it could be rescheduled in switch_timer(). As a result, a use-after-free bug can occur. The details are shown below: (cpu 0) | (cpu 1) switch_drv_remove() | flush_work() | ... | switch_timer // timer | schedule_work(&psw->work) timer_shutdown_sync() | ... | switch_work_handler // worker kfree(psw) // free | | psw->state = 0 // use This patch puts timer_shutdown_sync() before flush_work() to mitigate the bugs. As a result, the worker and timer will be stopped safely before the deallocate operations.", "cve_priority": "medium", "cve_public_date": "2024-03-29 10:15:00 UTC" } ], "log": [ "", " * jammy/linux: 5.15.0-120.130 -proposed tracker (LP: #2075903)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2024.08.05)", "", " * Jammy update: v5.15.163 upstream stable release (LP: #2075170)", " - Compiler Attributes: Add __uninitialized macro", " - locking/mutex: Introduce devm_mutex_init()", " - drm/lima: fix shared irq handling on driver remove", " - media: dvb: as102-fe: Fix as10x_register_addr packing", " - media: dvb-usb: dib0700_devices: Add missing release_firmware()", " - IB/core: Implement a limit on UMAD receive List", " - scsi: qedf: Make qedf_execute_tmf() non-preemptible", " - crypto: aead,cipher - zeroize key buffer after use", " - drm/amdgpu: Initialize timestamp for some legacy SOCs", " - drm/amd/display: Check index msg_id before read or write", " - drm/amd/display: Check pipe offset before setting vblank", " - drm/amd/display: Skip finding free audio for unknown engine_id", " - media: dw2102: Don't translate i2c read into write", " - sctp: prefer struct_size over open coded arithmetic", " - firmware: dmi: Stop decoding on broken entry", " - Input: ff-core - prefer struct_size over open coded arithmetic", " - wifi: mt76: replace skb_put with skb_put_zero", " - net: dsa: mv88e6xxx: Correct check for empty list", " - media: dvb-frontends: tda18271c2dd: Remove casting during div", " - media: s2255: Use refcount_t instead of atomic_t for num_channels", " - media: dvb-frontends: tda10048: Fix integer overflow", " - i2c: i801: Annotate apanel_addr as __ro_after_init", " - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n", " - orangefs: fix out-of-bounds fsid access", " - kunit: Fix timeout message", " - powerpc/xmon: Check cpu id in commands \"c#\", \"dp#\" and \"dx#\"", " - igc: fix a log entry using uninitialized netdev", " - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD", " - jffs2: Fix potential illegal address access in jffs2_free_inode", " - s390/pkey: Wipe sensitive data on failure", " - tools/power turbostat: Remember global max_die_id", " - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()", " - tcp_metrics: validate source addr length", " - KVM: s390: fix LPSWEY handling", " - e1000e: Fix S0ix residency on corporate systems", " - net: allow skb_datagram_iter to be called from any context", " - wifi: wilc1000: fix ies_len type in connect path", " - riscv: kexec: Avoid deadlock in kexec crash path", " - netfilter: nf_tables: unconditionally flush pending work before notifier", " - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()", " - selftests: fix OOM in msg_zerocopy selftest", " - selftests: make order checking verbose in msg_zerocopy selftest", " - inet_diag: Initialize pad field in struct inet_diag_req_v2", " - gpiolib: of: factor out code overriding gpio line polarity", " - gpiolib: of: add a quirk for reset line polarity for Himax LCDs", " - gpiolib: of: add polarity quirk for TSC2005", " - Revert \"igc: fix a log entry using uninitialized netdev\"", " - nilfs2: fix inode number range checks", " - nilfs2: add missing check for inode numbers on directory entries", " - mm: optimize the redundant loop of mm_update_owner_next()", " - mm: avoid overflows in dirty throttling logic", " - btrfs: fix adding block group to a reclaim list and the unused list during", " reclaim", " - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot", " - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct", " - fsnotify: Do not generate events for O_PATH file descriptors", " - Revert \"mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),", " again\"", " - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes", " - drm/amdgpu/atomfirmware: silence UBSAN warning", " - mtd: rawnand: Ensure ECC configuration is propagated to upper layers", " - mtd: rawnand: Bypass a couple of sanity checks during NAND identification", " - mtd: rawnand: rockchip: ensure NVDDR timings are rejected", " - ima: Avoid blocking in RCU read-side critical section", " - media: dw2102: fix a potential buffer overflow", " - clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents", " - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr", " - fs/ntfs3: Mark volume as dirty if xattr is broken", " - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897", " - nvme-multipath: find NUMA path only for online numa-node", " - dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails", " - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset", " - regmap-i2c: Subtract reg size from max_write", " - platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6\"", " tablet", " - platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro", " - nvmet: fix a possible leak when destroy a ctrl during qp establishment", " - kbuild: fix short log for AS in link-vmlinux.sh", " - nfc/nci: Add the inconsistency check between the input data length and count", " - null_blk: Do not allow runt zone with zone capacity smaller then zone size", " - nilfs2: fix incorrect inode allocation from reserved inodes", " - mm: prevent derefencing NULL ptr in pfn_section_valid()", " - filelock: fix potential use-after-free in posix_lock_inode", " - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading", " - vfs: don't mod negative dentry count when on shrinker list", " - tcp: fix incorrect undo caused by DSACK of TLP retransmit", " - skmsg: Skip zero length skb in sk_msg_recvmsg", " - octeontx2-af: Fix incorrect value output on error path in", " rvu_check_rsrc_availability()", " - net: fix rc7's __skb_datagram_iter()", " - i40e: Fix XDP program unloading while removing the driver", " - net: lantiq_etop: add blank line after declaration", " - net: ethernet: lantiq_etop: fix double free in detach", " - net: ethernet: mtk-star-emac: set mac_managed_pm when probing", " - ppp: reject claimed-as-LCP but actually malformed packets", " - ethtool: netlink: do not return SQI value if link is down", " - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().", " - s390: Mark psw in __load_psw_mask() as __unitialized", " - ARM: davinci: Convert comma to semicolon", " - octeontx2-af: replace cpt slot with lf id on reg write", " - octeontx2-af: update cpt lf alloc mailbox", " - octeontx2-af: fix a issue with cpt_lf_alloc mailbox", " - octeontx2-af: fix detection of IP layer", " - octeontx2-af: extend RSS supported offload types", " - octeontx2-af: fix issue with IPv6 ext match for RSS", " - octeontx2-af: fix issue with IPv4 match for RSS", " - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()", " - tcp: avoid too many retransmit packets", " - net: ks8851: Fix potential TX stall after interface reopen", " - USB: serial: option: add Telit generic core-dump composition", " - USB: serial: option: add Telit FN912 rmnet compositions", " - USB: serial: option: add Fibocom FM350-GL", " - USB: serial: option: add support for Foxconn T99W651", " - USB: serial: option: add Netprisma LCUK54 series modules", " - USB: serial: option: add Rolling RW350-GL variants", " - USB: serial: mos7840: fix crash on resume", " - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k", " - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()", " - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the", " descriptor", " - hpet: Support 32-bit userspace", " - nvmem: rmem: Fix return value of rmem_read()", " - nvmem: meson-efuse: Fix return value of nvmem callbacks", " - nvmem: core: only change name to fram for current attribute", " - ALSA: hda/realtek: add quirk for Clevo V5[46]0TU", " - ALSA: hda/realtek: Enable Mute LED on HP 250 G7", " - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX", " - Fix userfaultfd_api to return EINVAL as expected", " - libceph: fix race between delayed_work() and ceph_monc_stop()", " - wireguard: allowedips: avoid unaligned 64-bit memory accesses", " - wireguard: queueing: annotate intentional data race in cpu round robin", " - wireguard: send: annotate intentional data race in checking empty queue", " - ipv6: annotate data-races around cnf.disable_ipv6", " - bpf: Allow reads from uninit stack", " - nilfs2: fix kernel bug on rename operation of broken directory", " - i2c: rcar: bring hardware to known state when probing", " - i2c: mark HostNotify target address as used", " - i2c: rcar: Add R-Car Gen4 support", " - i2c: rcar: reset controller is mandatory for Gen3+", " - i2c: rcar: introduce Gen4 devices", " - i2c: rcar: ensure Gen3+ reset does not disturb local targets", " - i2c: testunit: avoid re-issued work after read message", " - i2c: rcar: clear NO_RXDMA flag after resetting", " - x86/entry/64: Remove obsolete comment on tracing vs. SYSRET", " - x86/bhi: Avoid warning in #DB handler due to BHI mitigation", " - kbuild: Make ld-version.sh more robust against version string changes", " - i2c: rcar: fix error code in probe()", " - Linux 5.15.163", "", " * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Jammy update:", " v5.15.163 upstream stable release (LP: #2075170)", " - bnx2x: Fix multiple UBSAN array-index-out-of-bounds", "", " * Jammy update: v5.15.162 upstream stable release (LP: #2073765)", " - mmc: davinci_mmc: Convert to platform remove callback returning void", " - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects", " - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()", " - wifi: cfg80211: Lock wiphy in cfg80211_get_station", " - wifi: cfg80211: pmsr: use correct nla_get_uX functions", " - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64", " - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef", " - wifi: iwlwifi: mvm: check n_ssids before accessing the ssids", " - wifi: iwlwifi: mvm: don't read past the mfuart notifcation", " - wifi: mac80211: correctly parse Spatial Reuse Parameter Set element", " - net/ncsi: Simplify Kconfig/dts control flow", " - net/ncsi: Fix the multi thread manner of NCSI driver", " - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()", " - bpf: Set run context for rawtp test_run callback", " - octeontx2-af: Always allocate PF entries from low prioriy zone", " - net: sched: sch_multiq: fix possible OOB write in multiq_tune()", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB", " - net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP", " - ptp: Fix error message on failed pin verification", " - af_unix: Set sk->sk_state under unix_state_lock() for truly disconencted", " peer.", " - af_unix: Annodate data-races around sk->sk_state for writers.", " - af_unix: Annotate data-race of sk->sk_state in unix_inq_len().", " - af_unix: Annotate data-races around sk->sk_state in unix_write_space() and", " poll().", " - net: inline sock_prot_inuse_add()", " - net: drop nopreempt requirement on sock_prot_inuse_add()", " - af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().", " - af_unix: Annotate data-races around sk->sk_state in sendmsg() and recvmsg().", " - af_unix: Annotate data-race of sk->sk_state in unix_stream_read_skb().", " - af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.", " - af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.", " - af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().", " - af_unix: annotate lockless accesses to sk->sk_err", " - af_unix: Use skb_queue_empty_lockless() in unix_release_sock().", " - af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().", " - af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().", " - ipv6: fix possible race in __fib6_drop_pcpu_from()", " - usb: gadget: f_fs: use io_data->status consistently", " - usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete", " - iio: accel: mxc4005: Reset chip on probe() and resume()", " - drm/amd/display: Handle Y carry-over in VCP X.Y calculation", " - drm/amd/display: Clean up some inconsistent indenting", " - drm/amd/display: drop unnecessary NULL checks in debugfs", " - drm/amd/display: Fix incorrect DSC instance for MST", " - pvpanic: Keep single style across modules", " - pvpanic: Indentation fixes here and there", " - misc/pvpanic: deduplicate common code", " - misc/pvpanic-pci: register attributes via pci_driver", " - skbuff: introduce skb_pull_data", " - Bluetooth: hci_qca: mark OF related data as maybe unused", " - Bluetooth: btqca: use le32_to_cpu for ver.soc_id", " - Bluetooth: btqca: Add WCN3988 support", " - Bluetooth: qca: use switch case for soc type behavior", " - Bluetooth: qca: add support for QCA2066", " - Bluetooth: qca: fix info leak when fetching fw build id", " - serial: sc16is7xx: replace hardcoded divisor value with BIT() macro", " - serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler", " - x86/ibt,ftrace: Search for __fentry__ location", " - ftrace: Fix possible use-after-free issue in ftrace_location()", " - i2c: add fwnode APIs", " - i2c: acpi: Unbind mux adapters before delete", " - cma: factor out minimum alignment requirement", " - mm/cma: drop incorrect alignment check in cma_init_reserved_mem", " - selftests/mm: compaction_test: fix incorrect write of zero to nr_hugepages", " - selftests/mm: conform test to TAP format output", " - selftests/mm: compaction_test: fix bogus test success on Aarch64", " - wifi: ath10k: fix QCOM_RPROC_COMMON dependency", " - btrfs: fix leak of qgroup extent records after transaction abort", " - nilfs2: Remove check for PageError", " - nilfs2: return the mapped address from nilfs_get_page()", " - nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors", " - USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages", " - usb: typec: tcpm: Ignore received Hard Reset in TOGGLING state", " - mei: me: release irq in mei_me_pci_resume error path", " - jfs: xattr: fix buffer overflow for invalid xattr", " - xhci: Set correct transferred length for cancelled bulk transfers", " - xhci: Apply reset resume quirk to Etron EJ188 xHCI host", " - xhci: Handle TD clearing for multiple streams case", " - xhci: Apply broken streams quirk to Etron EJ188 xHCI host", " - scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated memory", " - powerpc/uaccess: Fix build errors seen with GCC 13/14", " - Input: try trimming too long modalias strings", " - clk: sifive: Do not register clkdevs for PRCI clocks", " - SUNRPC: return proper error from gss_wrap_req_priv", " - platform/x86: dell-smbios-base: Use sysfs_emit()", " - platform/x86: dell-smbios: Fix wrong token data in sysfs", " - gpio: tqmx86: fix typo in Kconfig label", " - gpio: tqmx86: store IRQ trigger type and unmask status separately", " - HID: core: remove unnecessary WARN_ON() in implement()", " - iommu/amd: Introduce pci segment structure", " - iommu/amd: Fix sysfs leak in iommu init", " - iommu: Return right value in iommu_sva_bind_device()", " - HID: logitech-dj: Fix memory leak in logi_dj_recv_switch_to_dj_mode()", " - drm/vmwgfx: 3D disabled should not effect STDU memory limits", " - net: sfp: Always call `sfp_sm_mod_remove()` on remove", " - net: hns3: fix kernel crash problem in concurrent scenario", " - net: hns3: add cond_resched() to hns3 ring buffer init process", " - liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet", " - drm/komeda: check for error-valued pointer", " - drm/bridge/panel: Fix runtime warning on panel bridge release", " - tcp: fix race in tcp_v6_syn_recv_sock()", " - net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN)", " packets", " - netfilter: ipset: Fix race between namespace cleanup and gc in the list:set", " type", " - net: stmmac: replace priv->speed with the portTransmitRate from the tc-cbs", " parameters", " - net/ipv6: Fix the RT cache flush via sysctl using a previous delay", " - ionic: fix use after netif_napi_del()", " - af_unix: Read with MSG_PEEK loops if the first unread byte is OOB", " - iio: adc: ad9467: fix scan type sign", " - iio: dac: ad5592r: fix temperature channel scaling value", " - iio: imu: inv_icm42600: delete unneeded update watermark call", " - drivers: core: synchronize really_probe() and dev_uevent()", " - drm/exynos/vidi: fix memory leak in .get_modes()", " - drm/exynos: hdmi: report safe 640x480 mode as a fallback when no EDID found", " - mptcp: ensure snd_una is properly initialized on connect", " - tracing/selftests: Fix kprobe event name test for .isra. functions", " - null_blk: Print correct max open zones limit in null_init_zoned_dev()", " - sock_map: avoid race between sock_map_close and sk_psock_put", " - vmci: prevent speculation leaks by sanitizing event in event_deliver()", " - spmi: hisi-spmi-controller: Do not override device identifier", " - knfsd: LOOKUP can return an illegal error value", " - fs/proc: fix softlockup in __read_vmcore", " - ocfs2: use coarse time for new created files", " - ocfs2: fix races between hole punching and AIO+DIO", " - PCI: rockchip-ep: Remove wrong mask on subsys_vendor_id", " - dmaengine: axi-dmac: fix possible race in remove()", " - intel_th: pci: Add Granite Rapids support", " - intel_th: pci: Add Granite Rapids SOC support", " - intel_th: pci: Add Sapphire Rapids SOC support", " - intel_th: pci: Add Meteor Lake-S support", " - intel_th: pci: Add Lunar Lake support", " - nilfs2: fix potential kernel bug due to lack of writeback flag waiting", " - tick/nohz_full: Don't abuse smp_call_function_single() in", " tick_setup_device()", " - scsi: mpi3mr: Fix ATA NCQ priority support", " - mm/huge_memory: don't unpoison huge_zero_folio", " - serial: 8250_pxa: Configure tx_loadsz to match FIFO IRQ level", " - hugetlb_encode.h: fix undefined behaviour (34 << 26)", " - mptcp: pm: inc RmAddr MIB counter once per RM_ADDR ID", " - mptcp: pm: update add_addr counters after connect", " - kbuild: Remove support for Clang's ThinLTO caching", " - greybus: Fix use-after-free bug in gb_interface_release due to race", " condition.", " - usb-storage: alauda: Check whether the media is initialized", " - i2c: at91: Fix the functionality flags of the slave-only interface", " - i2c: designware: Fix the functionality flags of the slave-only interface", " - zap_pid_ns_processes: clear TIF_NOTIFY_SIGNAL along with TIF_SIGPENDING", " - Bluetooth: qca: Fix error code in qca_read_fw_build_info()", " - Bluetooth: qca: fix info leak when fetching board id", " - padata: Disable BH when taking works lock on MT path", " - crypto: hisilicon/sec - Fix memory leak for sec resource release", " - rcutorture: Fix rcu_torture_one_read() pipe_count overflow comment", " - rcutorture: Make stall-tasks directly exit when rcutorture tests end", " - rcutorture: Fix invalid context warning when enable srcu barrier testing", " - block/ioctl: prefer different overflow check", " - selftests/bpf: Prevent client connect before server bind in", " test_tc_tunnel.sh", " - selftests/bpf: Fix flaky test btf_map_in_map/lookup_update", " - batman-adv: bypass empty buckets in batadv_purge_orig_ref()", " - wifi: ath9k: work around memset overflow warning", " - af_packet: avoid a false positive warning in packet_setsockopt()", " - drop_monitor: replace spin_lock by raw_spin_lock", " - scsi: qedi: Fix crash while reading debugfs attribute", " - kselftest: arm64: Add a null pointer check", " - netpoll: Fix race condition in netpoll_owner_active", " - HID: Add quirk for Logitech Casa touchpad", " - ACPI: video: Add backlight=native quirk for Lenovo Slim 7 16ARH7", " - Bluetooth: ath3k: Fix multiple issues reported by checkpatch.pl", " - drm/amd/display: Exit idle optimizations before HDCP execution", " - drm/lima: add mask irq callback to gp and pp", " - drm/lima: mask irqs in timeout path before hard reset", " - powerpc/pseries: Enforce hcall result buffer validity and size", " - powerpc/io: Avoid clang null pointer arithmetic warnings", " - power: supply: cros_usbpd: provide ID table for avoiding fallback match", " - iommu/arm-smmu-v3: Free MSIs in case of ENOMEM", " - f2fs: remove clear SB_INLINECRYPT flag in default_options", " - usb: misc: uss720: check for incompatible versions of the Belkin F5U002", " - Avoid hw_desc array overrun in dw-axi-dmac", " - udf: udftime: prevent overflow in udf_disk_stamp_to_time()", " - PCI/PM: Avoid D3cold for HP Pavilion 17 PC/1972 PCIe Ports", " - MIPS: Octeon: Add PCIe link status check", " - serial: imx: Introduce timeout when waiting on transmitter empty", " - serial: exar: adding missing CTI and Exar PCI ids", " - MIPS: Routerboard 532: Fix vendor retry check code", " - mips: bmips: BCM6358: make sure CBR is correctly set", " - tracing: Build event generation tests only as modules", " - cipso: fix total option length computation", " - netrom: Fix a memory leak in nr_heartbeat_expiry()", " - ipv6: prevent possible NULL deref in fib6_nh_init()", " - ipv6: prevent possible NULL dereference in rt6_probe()", " - xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()", " - netns: Make get_net_ns() handle zero refcount net", " - qca_spi: Make interrupt remembering atomic", " - net/sched: act_api: rely on rcu in tcf_idr_check_alloc", " - net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()", " - tipc: force a dst refcount before doing decryption", " - net/sched: act_ct: set 'net' pointer when creating new nf_flow_table", " - sched: act_ct: add netns into the key of tcf_ct_flow_table", " - ptp: fix integer overflow in max_vclocks_store", " - net: stmmac: No need to calculate speed divider when offload is disabled", " - virtio_net: checksum offloading handling fix", " - octeontx2-pf: Add error handling to VLAN unoffload handling", " - netfilter: ipset: Fix suspicious rcu_dereference_protected()", " - seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6", " behaviors", " - bnxt_en: Restore PTP tx_avail count in case of skb_pad() error", " - net: usb: rtl8150 fix unintiatilzed variables in rtl8150_get_link_ksettings", " - regulator: core: Fix modpost error \"regulator_get_regmap\" undefined", " - dmaengine: idxd: Fix possible Use-After-Free in irq_process_work_list", " - dmaengine: ioat: switch from 'pci_' to 'dma_' API", " - dmaengine: ioat: Drop redundant pci_enable_pcie_error_reporting()", " - dmaengine: ioatdma: Fix leaking on version mismatch", " - dmaengine: ioat: use PCI core macros for PCIe Capability", " - dmaengine: ioatdma: Fix error path in ioat3_dma_probe()", " - dmaengine: ioatdma: Fix kmemleak in ioat_pci_probe()", " - dmaengine: ioatdma: Fix missing kmem_cache_destroy()", " - regulator: bd71815: fix ramp values", " - ACPICA: Revert \"ACPICA: avoid Info: mapping multiple BARs. Your kernel is", " fine.\"", " - RDMA/mlx5: Add check for srq max_sge attribute", " - serial: stm32: rework RX over DMA", " - net: do not leave a dangling sk pointer, when socket creation fails", " - btrfs: retry block group reclaim without infinite loop", " - KVM: x86: Always sync PIR to IRR prior to scanning I/O APIC routes", " - ALSA: hda/realtek: Limit mic boost on N14AP7", " - drm/i915/mso: using joiner is not possible with eDP MSO", " - drm/radeon: fix UBSAN warning in kv_dpm.c", " - gcov: add support for GCC 14", " - kcov: don't lose track of remote references during softirqs", " - tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack()", " - i2c: ocores: set IACK bit after core is enabled", " - dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller", " schema", " - arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc", " - drm/amd/display: revert Exit idle optimizations before HDCP execution", " - perf: script: add raw|disasm arguments to --insn-trace option", " - perf script: Show also errors for --insn-trace option", " - ARM: dts: samsung: smdkv310: fix keypad no-autorepeat", " - ARM: dts: samsung: exynos4412-origen: fix keypad no-autorepeat", " - ARM: dts: samsung: smdk4412: fix keypad no-autorepeat", " - rtlwifi: rtl8192de: Style clean-ups", " - wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power", " - pmdomain: ti-sci: Fix duplicate PD referrals", " - bcache: fix variable length array abuse in btree_iter", " - tracing: Add MODULE_DESCRIPTION() to preemptirq_delay_test", " - x86/cpu/vfm: Add new macros to work with (vendor/family/model) values", " - x86/cpu: Fix x86_match_cpu() to match just X86_VENDOR_INTEL", " - ksmbd: ignore trailing slashes in share paths", " - drm/i915/gt: Only kick the signal worker if there's been an update", " - drm/i915/gt: Disarm breadcrumbs if engines are already idle", " - Revert \"kheaders: substituting --sort in archive creation\"", " - kheaders: explicitly define file modes for archived headers", " - riscv: mm: init: try best to use IS_ENABLED(CONFIG_64BIT) instead of #ifdef", " - riscv: fix overlap of allocated page and PTR_ERR", " - perf/core: Fix missing wakeup when waiting for context reference", " - PCI: Add PCI_ERROR_RESPONSE and related definitions", " - x86/amd_nb: Check for invalid SMN reads", " - smb: client: fix deadlock in smb2_find_smb_tcon()", " - ACPI: x86: utils: Add Picasso to the list for forcing StorageD3Enable", " - ACPI: x86: Force StorageD3Enable on more products", " - gve: Add RX context.", " - gve: Clear napi->skb before dev_kfree_skb_any()", " - Input: ili210x - fix ili251x_read_touch_data() return value", " - pinctrl: fix deadlock in create_pinctrl() when handling -EPROBE_DEFER", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins", " - pinctrl: rockchip: fix pinmux bits for RK3328 GPIO3-B pins", " - pinctrl: rockchip: use dedicated pinctrl type for RK3328", " - pinctrl: rockchip: fix pinmux reset in rockchip_pmx_set", " - cifs: fix typo in module parameter enable_gcm_256", " - drm/amdgpu: fix UBSAN warning in kv_dpm.c", " - net: mdio: add helpers to extract clause 45 regad and devad fields", " - net: stmmac: Assign configured channel value to EXTTS event", " - ASoC: fsl-asoc-card: set priv->pdev before using it", " - net: dsa: microchip: fix initial port flush problem", " - ibmvnic: Free any outstanding tx skbs during scrq reset", " - net: phy: micrel: add Microchip KSZ 9477 to the device table", " - xdp: Remove WARN() from __xdp_reg_mem_model()", " - tcp: Use BPF timeout setting for SYN ACK RTO", " - Fix race for duplicate reqsk on identical SYN", " - sparc: fix old compat_sys_select()", " - sparc: fix compat recv/recvfrom syscalls", " - parisc: use correct compat recv/recvfrom syscalls", " - tcp: fix tcp_rcv_fastopen_synack() to enter TCP_CA_Loss for failed TFO", " - netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data", " registers", " - bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()", " - drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that sleep", " - vduse: validate block features only with block devices", " - vduse: Temporarily fail if control queue feature requested", " - x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup", " - mtd: partitions: redboot: Added conversion of operands to a larger type", " - bpf: Add a check for struct bpf_fib_lookup size", " - RDMA/restrack: Fix potential invalid address access", " - net/iucv: Avoid explicit cpumask var allocation on stack", " - net/dpaa2: Avoid explicit cpumask var allocation on stack", " - crypto: ecdh - explicitly zeroize private_key", " - ALSA: emux: improve patch ioctl data validation", " - media: dvbdev: Initialize sbuf", " - soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer message", " - drm/radeon/radeon_display: Decrease the size of allocated memory", " - nvme: fixup comment for nvme RDMA Provider Type", " - drm/panel: simple: Add missing display timing flags for KOE TX26D202VM0BWA", " - gpio: davinci: Validate the obtained number of IRQs", " - gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)", " - x86: stop playing stack games in profile_pc()", " - parisc: use generic sys_fanotify_mark implementation", " - ocfs2: fix DIO failure due to insufficient transaction credits", " - mmc: sdhci-pci: Convert PCIBIOS_* return codes to errnos", " - mmc: sdhci: Do not invert write-protect twice", " - mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro()", " - i2c: testunit: don't erase registers after STOP", " - i2c: testunit: discard write requests while old command is running", " - iio: adc: ad7266: Fix variable checking bug", " - iio: accel: fxls8962af: select IIO_BUFFER & IIO_KFIFO_BUF", " - iio: chemical: bme680: Fix pressure value output", " - iio: chemical: bme680: Fix calibration data variable", " - iio: chemical: bme680: Fix overflows in compensate() functions", " - iio: chemical: bme680: Fix sensor data read operation", " - net: usb: ax88179_178a: improve link status logs", " - usb: gadget: printer: SS+ support", " - usb: gadget: printer: fix races against disable", " - usb: musb: da8xx: fix a resource leak in probe()", " - usb: atm: cxacru: fix endpoint checking in cxacru_bind()", " - usb: dwc3: core: remove lock of otg mode during gadget suspend/resume to", " avoid deadlock", " - serial: 8250_omap: Implementation of Errata i2310", " - tty: mcf: MCF54418 has 10 UARTS", " - net: can: j1939: Initialize unused data in j1939_send_one()", " - net: can: j1939: recover socket queue on CAN bus error during BAM", " transmission", " - net: can: j1939: enhanced error handling for tightly received RTS messages", " in xtp_rx_rts_session_new", " - cpu/hotplug: Fix dynstate assignment in __cpuhp_setup_state_cpuslocked()", " - kbuild: Install dtb files as 0644 in Makefile.dtbinst", " - sh: rework sync_file_range ABI", " - csky, hexagon: fix broken sys_sync_file_range", " - hexagon: fix fadvise64_64 calling conventions", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes", " - drm/amdgpu: avoid using null object of framebuffer", " - drm/i915/gt: Fix potential UAF by revoke of fence registers", " - drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_hd_modes", " - batman-adv: Don't accept TT entries for out-of-spec VIDs", " - ata: ahci: Clean up sysfs file on error", " - ata: libata-core: Fix double free on error", " - ftruncate: pass a signed offset", " - syscalls: fix compat_sys_io_pgetevents_time64 usage", " - syscalls: fix sys_fanotify_mark prototype", " - pwm: stm32: Refuse too small period requests", " - nfs: Leave pages in the pagecache if readpage failed", " - drivers: fix typo in firmware/efi/memmap.c", " - efi: Correct comment on efi_memmap_alloc", " - efi: memmap: Move manipulation routines into x86 arch tree", " - efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures", " - efi/x86: Free EFI memory map only when installing a new one.", " - KVM: arm64: vgic-v4: Make the doorbell request robust w.r.t preemption", " - ARM: dts: rockchip: rk3066a: add #sound-dai-cells to hdmi node", " - arm64: dts: rockchip: fix PMIC interrupt pin on ROCK Pi E", " - arm64: dts: rockchip: Add sound-dai-cells for RK3368", " - serial: 8250_omap: Fix Errata i2310 with RX FIFO level check", " - tracing/net_sched: NULL pointer dereference in perf_trace_qdisc_reset()", " - Linux 5.15.162", "", " * Fix L2CAP/LE/CPU/BI-02-C bluetooth certification failure (LP: #2072858) //", " Jammy update: v5.15.162 upstream stable release (LP: #2073765)", " - Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ", "", " * net/sched: Fix conntrack use-after-free (LP: #2073092)", " - net/sched: Fix UAF when resolving a clash", "", " * Jammy update: v5.15.161 upstream stable release (LP: #2072617)", " - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs", " - tty: n_gsm: fix missing receive state reset after mode switch", " - speakup: Fix sizeof() vs ARRAY_SIZE() bug", " - serial: 8250_bcm7271: use default_mux_rate if possible", " - Revert \"r8169: don't try to disable interrupts if NAPI is, scheduled", " already\"", " - r8169: Fix possible ring buffer corruption on fragmented Tx packets.", " - ring-buffer: Fix a race between readers and resize checks", " - tools/latency-collector: Fix -Wformat-security compile warns", " - net: smc91x: Fix m68k kernel compilation for ColdFire CPU", " - nilfs2: fix unexpected freezing of nilfs_segctor_sync()", " - nilfs2: fix potential hang in nilfs_detach_log_writer()", " - fs/ntfs3: Remove max link count info display during driver init", " - fs/ntfs3: Taking DOS names into account during link counting", " - fs/ntfs3: Fix case when index is reused during tree transformation", " - fs/ntfs3: Break dir enumeration if directory contents error", " - ALSA: core: Fix NULL module pointer assignment at card init", " - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt", " class", " - dt-bindings: rockchip: grf: Add missing type to 'pcie-phy' node", " - net: usb: qmi_wwan: add Telit FN920C04 compositions", " - drm/amd/display: Set color_mgmt_changed to true on unsuspend", " - selftests: sud_test: return correct emulated syscall value on RISC-V", " - regulator: irq_helpers: duplicate IRQ name", " - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating", " - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property", " - regulator: vqmmc-ipq4019: fix module autoloading", " - ASoC: rt715: add vendor clear control register", " - ASoC: rt715-sdca: volume step modification", " - softirq: Fix suspicious RCU usage in __do_softirq()", " - ASoC: da7219-aad: fix usage of device_get_named_child_node()", " - drm/amdkfd: Flush the process wq before creating a kfd_process", " - x86/mm: Remove broken vsyscall emulation code from the page fault code", " - nvme: find numa distance only if controller has valid numa id", " - epoll: be better about file lifetimes", " - openpromfs: finish conversion to the new mount API", " - crypto: bcm - Fix pointer arithmetic", " - mm/slub, kunit: Use inverted data to corrupt kmem cache", " - firmware: raspberrypi: Use correct device for DMA mappings", " - ecryptfs: Fix buffer size for tag 66 packet", " - nilfs2: fix out-of-range warning", " - parisc: add missing export of __cmpxchg_u8()", " - crypto: ccp - drop platform ifdef checks", " - crypto: x86/nh-avx2 - add missing vzeroupper", " - crypto: x86/sha256-avx2 - add missing vzeroupper", " - crypto: x86/sha512-avx2 - add missing vzeroupper", " - s390/cio: fix tracepoint subchannel type field", " - jffs2: prevent xattr node from overflowing the eraseblock", " - soc: mediatek: cmdq: Fix typo of CMDQ_JUMP_RELATIVE", " - null_blk: Fix missing mutex_destroy() at module removal", " - md: fix resync softlockup when bitmap size is less than array size", " - wifi: ath10k: poll service ready message before failing", " - x86/boot: Ignore relocations in .notes sections in walk_relocs() too", " - sched/fair: Add EAS checks before updating root_domain::overutilized", " - qed: avoid truncating work queue length", " - bpf: Pack struct bpf_fib_lookup", " - scsi: ufs: qcom: Perform read back after writing reset bit", " - scsi: ufs: qcom: Perform read back after writing REG_UFS_SYS1CLK_1US", " - scsi: ufs: ufs-qcom: Fix the Qcom register name for offset 0xD0", " - scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW version major 5", " - scsi: ufs: qcom: Perform read back after writing unipro mode", " - scsi: ufs: qcom: Perform read back after writing CGC enable", " - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV", " - scsi: ufs: core: Perform read back after disabling interrupts", " - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL", " - irqchip/alpine-msi: Fix off-by-one in allocation error path", " - irqchip/loongson-pch-msi: Fix off-by-one on allocation error path", " - ACPI: disable -Wstringop-truncation", " - gfs2: Don't forget to complete delayed withdraw", " - gfs2: Fix \"ignore unlock failures after withdraw\"", " - selftests/bpf: Fix umount cgroup2 error in test_sockmap", " - cpufreq: Reorganize checks in cpufreq_offline()", " - cpufreq: Split cpufreq_offline()", " - cpufreq: Rearrange locking in cpufreq_remove_dev()", " - cpufreq: exit() callback is optional", " - net: export inet_lookup_reuseport and inet6_lookup_reuseport", " - net: remove duplicate reuseport_lookup functions", " - udp: Avoid call to compute_score on multiple sites", " - cppc_cpufreq: Fix possible null pointer dereference", " - scsi: libsas: Fix the failure of adding phy with zero-address to port", " - scsi: hpsa: Fix allocation size for Scsi_Host private data", " - x86/purgatory: Switch to the position-independent small code model", " - thermal/drivers/tsens: Fix null pointer dereference", " - wifi: ath10k: Fix an error code problem in", " ath10k_dbg_sta_write_peer_debug_trigger()", " - wifi: ath10k: populate board data for WCN3990", " - net: dsa: mv88e6xxx: Add support for model-specific pre- and post-reset", " handlers", " - net: dsa: mv88e6xxx: Avoid EEPROM timeout without EEPROM on 88E6250-family", " switches", " - tcp: avoid premature drops in tcp_add_backlog()", " - pwm: sti: Convert to platform remove callback returning void", " - pwm: sti: Prepare removing pwm_chip from driver data", " - pwm: sti: Simplify probe function using devm functions", " - net: give more chances to rcu in netdev_wait_allrefs_any()", " - macintosh/via-macii: Fix \"BUG: sleeping function called from invalid", " context\"", " - wifi: carl9170: add a proper sanity check for endpoints", " - wifi: ar5523: enable proper endpoint verification", " - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()", " - Revert \"sh: Handle calling csum_partial with misaligned data\"", " - selftests/binderfs: use the Makefile's rules, not Make's implicit rules", " - selftests/resctrl: fix clang build failure: use LOCAL_HDRS", " - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors", " - scsi: bfa: Ensure the copied buf is NUL terminated", " - scsi: qedf: Ensure the copied buf is NUL terminated", " - scsi: qla2xxx: Fix debugfs output for fw_resource_count", " - wifi: mwl8k: initialize cmd->addr[] properly", " - usb: aqc111: stop lying about skb->truesize", " - net: usb: sr9700: stop lying about skb->truesize", " - m68k: Fix spinlock race in kernel thread creation", " - m68k: mac: Fix reboot hang on Mac IIci", " - net: ipv6: fix wrong start position when receive hop-by-hop fragment", " - eth: sungem: remove .ndo_poll_controller to avoid deadlocks", " - net: ethernet: cortina: Locking fixes", " - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg", " - net: usb: smsc95xx: stop lying about skb->truesize", " - net: openvswitch: fix overwriting ct original tuple for ICMPv6", " - ipv6: sr: add missing seg6_local_exit", " - ipv6: sr: fix incorrect unregister order", " - ipv6: sr: fix invalid unregister error path", " - net/mlx5: Discard command completions in internal error", " - s390/bpf: Emit a barrier for BPF_FETCH instructions", " - mptcp: SO_KEEPALIVE: fix getsockopt support", " - printk: Let no_printk() use _printk()", " - dev_printk: Add and use dev_no_printk()", " - drm/amd/display: Fix potential index out of bounds in color transformation", " function", " - ASoC: Intel: Disable route checks for Skylake boards", " - mtd: core: Report error if first mtd_otp_size() call fails in", " mtd_otp_nvmem_add()", " - mtd: rawnand: hynix: fixed typo", " - fbdev: shmobile: fix snprintf truncation", " - ASoC: kirkwood: Fix potential NULL dereference", " - drm/meson: vclk: fix calculation of 59.94 fractional rates", " - drm/mediatek: Add 0 size check to mtk_drm_gem_obj", " - powerpc/fsl-soc: hide unused const variable", " - fbdev: sisfb: hide unused variables", " - media: ngene: Add dvb_ca_en50221_init return value check", " - media: radio-shark2: Avoid led_names truncations", " - drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference", " - media: ipu3-cio2: Use temporary storage for struct device pointer", " - media: ipu3-cio2: Request IRQ earlier", " - media: dt-bindings: ovti,ov2680: Fix the power supply names", " - fbdev: sh7760fb: allow modular build", " - media: atomisp: ssh_css: Fix a null-pointer dereference in", " load_video_binaries", " - drm/arm/malidp: fix a possible null pointer dereference", " - drm: vc4: Fix possible null pointer dereference", " - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value", " - drm/bridge: lt8912b: Don't log an error when DSI host can't be found", " - drm/bridge: lt9611: Don't log an error when DSI host can't be found", " - drm/bridge: tc358775: Don't log an error when DSI host can't be found", " - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector", " - drm/mipi-dsi: use correct return type for the DSC functions", " - RDMA/mlx5: Adding remote atomic access flag to updatable flags", " - RDMA/hns: Fix return value in hns_roce_map_mr_sg", " - RDMA/hns: Fix deadlock on SRQ async events.", " - RDMA/hns: Fix GMV table pagesize", " - RDMA/hns: Use complete parentheses in macros", " - RDMA/hns: Modify the print level of CQE error", " - clk: qcom: mmcc-msm8998: fix venus clock issue", " - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map", " - ext4: avoid excessive credit estimate in ext4_tmpfile()", " - virt: acrn: Prefer array_size and struct_size over open coded arithmetic", " - virt: acrn: stop using follow_pfn", " - drivers/virt/acrn: fix PFNMAP PTE checks in acrn_vm_ram_map()", " - sunrpc: removed redundant procp check", " - ext4: simplify calculation of blkoff in ext4_mb_new_blocks_simple", " - ext4: fix unit mismatch in ext4_mb_new_blocks_simple", " - ext4: try all groups in ext4_mb_new_blocks_simple", " - ext4: remove unused parameter from ext4_mb_new_blocks_simple()", " - ext4: fix potential unnitialized variable", " - SUNRPC: Fix gss_free_in_token_pages()", " - selftests/kcmp: Make the test output consistent and clear", " - selftests/kcmp: remove unused open mode", " - RDMA/IPoIB: Fix format truncation compilation errors", " - selftests: net: bridge: increase IGMP/MLD exclude timeout membership", " interval", " - net: qrtr: ns: Fix module refcnt", " - netrom: fix possible dead-lock in nr_rt_ioctl()", " - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()", " - sched/fair: Allow disabling sched_balance_newidle with", " sched_relax_domain_level", " - sched/core: Fix incorrect initialization of the 'burst' parameter in", " cpu_max_write()", " - greybus: lights: check return of get_channel_from_mode", " - f2fs: Delete f2fs_copy_page() and replace with memcpy_page()", " - f2fs: fix to wait on page writeback in __clone_blkaddrs()", " - soundwire: cadence: fix invalid PDI offset", " - dmaengine: idma64: Add check for dma_set_max_seg_size", " - firmware: dmi-id: add a release callback function", " - serial: max3100: Lock port->lock when calling uart_handle_cts_change()", " - serial: max3100: Update uart_driver_registered on driver removal", " - serial: max3100: Fix bitwise types", " - greybus: arche-ctrl: move device table to its right location", " - PCI: tegra194: Fix probe path for Endpoint mode", " - serial: sc16is7xx: add proper sched.h include for sched_set_fifo()", " - dt-bindings: PCI: rcar-pci-host: Add optional regulators", " - dt-bindings: PCI: rcar-pci-host: Add missing IOMMU properties", " - f2fs: compress: fix to relocate check condition in", " f2fs_{release,reserve}_compress_blocks()", " - f2fs: convert to use sbi directly", " - f2fs: compress: fix to relocate check condition in", " f2fs_ioc_{,de}compress_file()", " - f2fs: do not allow partial truncation on pinned file", " - f2fs: fix typos in comments", " - f2fs: fix to relocate check condition in f2fs_fallocate()", " - f2fs: fix to check pinfile flag in f2fs_move_file_range()", " - coresight: etm4x: Fix unbalanced pm_runtime_enable()", " - iio: pressure: dps310: support negative temperature values", " - coresight: etm4x: Do not hardcode IOMEM access for register restore", " - coresight: etm4x: Do not save/restore Data trace control registers", " - coresight: no-op refactor to make INSTP0 check more idiomatic", " - coresight: etm4x: Cleanup TRCIDR0 register accesses", " - coresight: etm4x: Safe access for TRCQCLTR", " - coresight: etm4x: Fix access to resource selector registers", " - fpga: region: Use standard dev_release for class driver", " - fpga: region: add owner module and take its refcount", " - microblaze: Remove gcc flag for non existing early_printk.c file", " - microblaze: Remove early printk call from cpuinfo-static.c", " - dt-bindings: pinctrl: mediatek: mt7622: fix array properties", " - watchdog: bd9576_wdt: switch to using devm_fwnode_gpiod_get()", " - watchdog: bd9576: Drop \"always-running\" property", " - usb: gadget: u_audio: Clear uac pointer when freed.", " - stm class: Fix a double free in stm_register_device()", " - ppdev: Remove usage of the deprecated ida_simple_xx() API", " - ppdev: Add an error check in register_device", " - extcon: max8997: select IRQ_DOMAIN instead of depending on it", " - PCI/EDR: Align EDR_PORT_DPC_ENABLE_DSM with PCI Firmware r3.3", " - PCI/EDR: Align EDR_PORT_LOCATE_DSM with PCI Firmware r3.3", " - f2fs: compress: fix to cover {reserve,release}_compress_blocks() w/ cp_rwsem", " lock", " - f2fs: fix to release node block count in error path of f2fs_new_node_page()", " - f2fs: compress: don't allow unaligned truncation on released compress inode", " - serial: sh-sci: protect invalidating RXDMA on shutdown", " - libsubcmd: Fix parse-options memory leak", " - s390/vdso: filter out mno-pic-data-is-text-relative cflag", " - s390/vdso64: filter out munaligned-symbols flag for vdso", " - s390/vdso: Generate unwind information for C modules", " - s390/vdso: Use standard stack frame layout", " - s390/ipl: Fix incorrect initialization of len fields in nvme reipl block", " - s390/ipl: Fix incorrect initialization of nvme dump block", " - s390/boot: Remove alt_stfle_fac_list from decompressor", " - Input: ims-pcu - fix printf string overflow", " - Input: ioc3kbd - convert to platform remove callback returning void", " - Input: ioc3kbd - add device table", " - mmc: sdhci_am654: Add tuning algorithm for delay chain", " - mmc: sdhci_am654: Write ITAPDLY for DDR52 timing", " - mmc: sdhci_am654: Drop lookup for deprecated ti,otap-del-sel", " - mmc: sdhci_am654: Add OTAP/ITAP delay enable", " - mmc: sdhci_am654: Add ITAPDLYSEL in sdhci_j721e_4bit_set_clock", " - mmc: sdhci_am654: Fix ITAPDLY for HS400 timing", " - Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation", " - drm/msm/dsi: Print dual-DSI-adjusted pclk instead of original mode pclk", " - drm/msm/dpu: Always flush the slave INTF on the CTL", " - um: Fix return value in ubd_init()", " - um: vector: fix bpfflash parameter evaluation", " - fs/ntfs3: Use 64 bit variable to avoid 32 bit overflow", " - fs/ntfs3: Use variable length array instead of fixed size", " - drm/bridge: tc358775: fix support for jeida-18 and jeida-24", " - media: stk1160: fix bounds checking in stk1160_copy_video()", " - scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()", " - Input: cyapa - add missing input core locking to suspend/resume functions", " - media: flexcop-usb: clean up endpoint sanity checks", " - media: flexcop-usb: fix sanity check of bNumEndpoints", " - powerpc/pseries: Add failure related checks for h_get_mpp and h_get_ppp", " - um: Fix the -Wmissing-prototypes warning for __switch_mm", " - media: cec: cec-adap: always cancel work in cec_transmit_msg_fh", " - media: cec: cec-api: add locking in cec_release()", " - media: cec: call enable_adap on s_log_addrs", " - media: cec: abort if the current transmit was canceled", " - media: cec: correctly pass on reply results", " - media: cec: use call_op and check for !unregistered", " - media: cec-adap.c: drop activate_cnt, use state info instead", " - media: cec: core: avoid recursive cec_claim_log_addrs", " - media: cec: core: avoid confusing \"transmit timed out\" message", " - null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()", " - ASoC: mediatek: mt8192: fix register configuration for tdm", " - regulator: bd71828: Don't overwrite runtime voltages", " - x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when", " UNWINDER_FRAME_POINTER=y", " - [Config] Update CONFIG_ARCH_WANT_FRAME_POINTERS", " - net: Always descend into dsa/ folder with CONFIG_NET_DSA enabled", " - ipv6: sr: fix missing sk_buff release in seg6_input_core", " - nfc: nci: Fix uninit-value in nci_rx_work", " - ASoC: tas2552: Add TX path for capturing AUDIO-OUT data", " - NFSv4: Fixup smatch warning for ambiguous return", " - sunrpc: fix NFSACL RPC retry on soft mount", " - rpcrdma: fix handling for RDMA_CM_EVENT_DEVICE_REMOVAL", " - af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock.", " - ipv6: sr: fix memleak in seg6_hmac_init_algo", " - tcp: Fix shift-out-of-bounds in dctcp_update_alpha().", " - openvswitch: Set the skbuff pkt_type for proper pmtud support.", " - arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY", " - virtio: delete vq in vp_find_vqs_msix() when request_irq() fails", " - riscv: stacktrace: Make walk_stackframe cross pt_regs frame", " - riscv: stacktrace: fixed walk_stackframe()", " - net: fec: avoid lock evasion when reading pps_enable", " - tls: fix missing memory barrier in tls_init", " - nfc: nci: Fix kcov check in nci_rx_work()", " - nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()", " - ice: Interpret .set_channels() input differently", " - netfilter: nfnetlink_queue: acquire rcu_read_lock() in", " instance_destroy_rcu()", " - netfilter: nft_payload: restore vlan q-in-q match support", " - spi: Don't mark message DMA mapped when no transfer in it is", " - dma-mapping: benchmark: fix node id validation", " - dma-mapping: benchmark: handle NUMA_NO_NODE correctly", " - nvmet: fix ns enable/disable possible hang", " - net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ8061", " - net/mlx5e: Fix IPsec tunnel mode offload feature check", " - net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer", " exhaustion", " - dma-buf/sw-sync: don't enable IRQ from sync_print_obj()", " - bpf: Fix potential integer overflow in resolve_btfids", " - enic: Validate length of nl attributes in enic_set_vf_port", " - net: usb: smsc95xx: fix changing LED_SEL bit value updated from EEPROM", " - bpf: Allow delete from sockmap/sockhash only if update is allowed", " - net:fec: Add fec_enet_deinit()", " - netfilter: nft_payload: move struct nft_payload_set definition where it", " belongs", " - netfilter: nft_payload: rebuild vlan header when needed", " - netfilter: nft_payload: rebuild vlan header on h_proto access", " - netfilter: nft_payload: skbuff vlan metadata mangle support", " - netfilter: tproxy: bail out if IP has been disabled on the device", " - kconfig: fix comparison to constant symbols, 'm', 'n'", " - spi: stm32: Don't warn about spurious interrupts", " - net: ena: Add capabilities field with support for ENI stats capability", " - net: ena: Extract recurring driver reset code into a function", " - net: ena: Do not waste napi skb cache", " - net: ena: Add dynamic recycling mechanism for rx buffers", " - net: ena: Reduce lines with longer column width boundary", " - net: ena: Fix redundant device NUMA node override", " - ipvlan: Dont Use skb->sk in ipvlan_process_v{4,6}_outbound", " - hwmon: (shtc1) Fix property misspelling", " - ALSA: timer: Set lower bound of start tick time", " - KVM: x86: Don't advertise guest.MAXPHYADDR as host.MAXPHYADDR in CPUID", " - genirq/cpuhotplug, x86/vector: Prevent vector leak during CPU offline", " - net: ena: Fix DMA syncing in XDP path when SWIOTLB is on", " - media: cec: core: add adap_nb_transmit_canceled() callback", " - SUNRPC: Fix loop termination condition in gss_free_in_token_pages()", " - drm: Check output polling initialized before disabling", " - drm: Check polling initialized before enabling in", " drm_helper_probe_single_connector_modes", " - mmc: core: Do not force a retune before RPMB switch", " - io_uring: fail NOP if non-zero op flags is passed in", " - afs: Don't cross .backup mountpoint from backup volume", " - nilfs2: fix use-after-free of timer for log writer thread", " - mptcp: fix full TCP keep-alive support", " - vxlan: Fix regression when dropping packets due to invalid src addresses", " - net: dsa: sja1105: always enable the INCL_SRCPT option", " - net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT", " - scripts/gdb: fix SB_* constants parsing", " - sunrpc: exclude from freezer when waiting for requests:", " - f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode()", " - media: lgdt3306a: Add a check against null-pointer-def", " - drm/amdgpu: add error handle to avoid out-of-bounds", " - ata: pata_legacy: make legacy_exit() work again", " - thermal/drivers/qcom/lmh: Check for SCM availability at probe", " - soc: qcom: rpmh-rsc: Enhance check for VRM in-flight request", " - ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx", " - arm64: tegra: Correct Tegra132 I2C alias", " - arm64: dts: qcom: qcs404: fix bluetooth device address", " - md/raid5: fix deadlock that raid5d() wait for itself to clear", " MD_SB_CHANGE_PENDING", " - wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU", " - wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE", " - wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path", " - arm64: dts: hi3798cv200: fix the size of GICR", " - media: mc: mark the media devnode as registered from the, start", " - media: mxl5xx: Move xpt structures off stack", " - media: v4l2-core: hold videodev_lock until dev reg, finishes", " - mmc: core: Add mmc_gpiod_set_cd_config() function", " - mmc: sdhci-acpi: Sort DMI quirks alphabetically", " - mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working", " - mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A", " - fbdev: savage: Handle err return when savagefb_check_var failed", " - drm/amdgpu/atomfirmware: add intergrated info v2.3 table", " - KVM: arm64: Fix AArch32 register narrowing on userspace write", " - KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode", " - crypto: ecdsa - Fix module auto-load on add-key", " - crypto: ecrdsa - Fix module auto-load on add_key", " - crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak", " - net/ipv6: Fix route deleting failure when metric equals 0", " - net/9p: fix uninit-value in p9_client_rpc()", " - intel_th: pci: Add Meteor Lake-S CPU support", " - sparc64: Fix number of online CPUs", " - watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin", " - kdb: Fix buffer overflow during tab-complete", " - kdb: Use format-strings rather than '\\0' injection in kdb_read()", " - kdb: Fix console handling when editing and tab-completing commands", " - kdb: Merge identical case statements in kdb_read()", " - kdb: Use format-specifiers rather than memset() for padding in kdb_read()", " - net: fix __dst_negative_advice() race", " - sparc: move struct termio to asm/termios.h", " - ext4: set type of ac_groups_linear_remaining to __u32 to avoid overflow", " - ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()", " - s390/ap: Fix crash in AP internal function modify_bitmap()", " - s390/cpacf: Split and rework cpacf query functions", " - s390/cpacf: Make use of invalid opcode produce a link error", " - i3c: master: svc: fix invalidate IBI type and miss call client IBI handler", " - EDAC/igen6: Convert PCIBIOS_* return codes to errnos", " - nfs: fix undefined behavior in nfs_block_bits()", " - NFS: Fix READ_PLUS when server doesn't support OP_READ_PLUS", " - scsi: ufs: ufs-qcom: Clear qunipro_g4_sel for HW major version > 5", " - Linux 5.15.161", "", " * Virtualbox Guru meditation on VM start caused by kernel commit in v6.9-rc4", " (LP: #2073267)", " - SAUCE: Revert \"randomize_kstack: Improve entropy diffusion\"", "", " * CVE-2024-26921", " - inet: inet_defrag: prevent sk release while still in use", "", " * Jammy update: v5.15.162 upstream stable release (LP: #2073765) //", " CVE-2024-39484", " - mmc: davinci: Don't strip remove function when driver is builtin", "", " * CVE-2024-39292", " - um: Add winch to winch_handlers before registering winch IRQ", "", " * CVE-2024-36901", " - ipv6: prevent NULL dereference in ip6_output()", "", " * CVE-2024-26830", " - i40e: Do not allow untrusted VF to remove administratively set MAC", "", " * CVE-2024-26680", " - net: atlantic: Fix DMA mapping for PTP hwts ring", "", " * CVE-2023-52760", " - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc", "", " * CVE-2023-52629", " - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug", "" ], "package": "linux", "version": "5.15.0-120.130", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2075903, 1786013, 2075170, 2074215, 2075170, 2073765, 2072858, 2073765, 2073092, 2072617, 2073267, 2073765 ], "author": "Roxana Nicolescu ", "date": "Fri, 02 Aug 2024 20:11:12 +0200" } ], "notes": "linux-modules-5.15.0-122-generic version '5.15.0-122.132' (source package linux version '5.15.0-122.132') was added. linux-modules-5.15.0-122-generic version '5.15.0-122.132' has the same source package name, linux, as removed package linux-headers-5.15.0-119. As such we can use the source package version of the removed package, '5.15.0-119.129', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.15.0-119", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-119.129", "version": "5.15.0-119.129" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.15.0-119-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-119.129", "version": "5.15.0-119.129" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.15.0-119-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.15.0-119.129", "version": "5.15.0-119.129" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.15.0-119-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.15.0-119.129", "version": "5.15.0-119.129" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20240912 to 20241002", "from_series": "jammy", "to_series": "jammy", "from_serial": "20240912", "to_serial": "20241002", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }