-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 30 Dec 2023 10:31:20 +0100 Source: linux-signed-arm64 Architecture: source Version: 6.1.69+1 Distribution: bookworm-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Changes: linux-signed-arm64 (6.1.69+1) bookworm-security; urgency=high . * Sign kernel from linux 6.1.69-1 . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.68 - hrtimers: Push pending hrtimers away from outgoing CPU earlier - i2c: designware: Fix corrupted memory seen in the ISR - netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test - tg3: Move the [rt]x_dropped counters to tg3_napi - tg3: Increment tx_dropped in tg3_tso_bug() - kconfig: fix memory leak from range properties - drm/amdgpu: correct chunk_ptr to a pointer to chunk. - [x86] Introduce ia32_enabled() - [amd64] x86/coco: Disable 32-bit emulation by default on TDX and SEV - [x86] entry: Convert INT 0x80 emulation to IDTENTRY - [x86] entry: Do not allow external 0x80 interrupts - [x86] tdx: Allow 32-bit emulation by default - [x86] platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code - [powerpc*] of: dynamic: Fix of_reconfig_get_state_change() return value documentation - [x86] platform/x86: wmi: Skip blocks with zero instances - ipv6: fix potential NULL deref in fib6_add() - hv_netvsc: rndis_filter needs to select NLS - r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE - r8152: Add RTL8152_INACCESSIBLE checks to more loops - r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash() - r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1() - r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en() - arcnet: restoring support for multiple Sohard Arcnet cards - net: stmmac: fix FPE events losing - xsk: Skip polling event check for unbound socket - i40e: Fix unexpected MFS warning message - iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero - net: bnxt: fix a potential use-after-free in bnxt_init_tc - tcp: fix mid stream window clamp. - ionic: fix snprintf format length warning - ionic: Fix dim work handling in split interrupt mode - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() - net: atlantic: Fix NULL dereference of skb pointer in - [arm64] net: hns: fix wrong head when modify the tx feature when sending packets - [arm64] net: hns: fix fake link up on xge port - netfilter: nft_exthdr: add boolean DCCP option matching - netfilter: nf_tables: fix 'exist' matching on bigendian arches - netfilter: nf_tables: bail out on mismatching dynset and set expressions (CVE-2023-6622) - netfilter: nf_tables: validate family when identifying table via handle - netfilter: xt_owner: Fix for unsafe access of sk->sk_socket - tcp: do not accept ACK of bytes we never sent - bpf: sockmap, updating the sg structure should also update curr - psample: Require 'CAP_NET_ADMIN' when joining "packets" group - drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group - [arm64] tee: optee: Fix supplicant based device enumeration - [arm64] RDMA/hns: Fix unnecessary err return when using invalid congest control algorithm - RDMA/irdma: Do not modify to SQD on error - RDMA/irdma: Add wait for suspend on SQD - [arm64] ASoC: fsl_sai: Fix no frame sync clock issue on i.MX8MP - RDMA/irdma: Refactor error handling in create CQP - RDMA/irdma: Fix UAF in irdma_sc_ccq_get_cqe_info() - [x86] hwmon: (acpi_power_meter) Fix 4.29 MW bug - [x86] ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate - RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz - RDMA/irdma: Avoid free the non-cqp_request scratch - [arm64] dts: imx8mq: drop usb3-resume-missing-cas from usb - [arm64] dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3 - tracing: Fix a warning when allocating buffered events fails - scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle() - [armhf] imx: Check return value of devm_kasprintf in imx_mmdc_perf_init - md: introduce md_ro_state - md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly() - iommu: Avoid more races around device probe - [x86] rethook: Use __rcu pointer for rethook::handler - kprobes: consistent rcu api usage for kretprobe holder - [x86] ASoC: amd: yc: Fix non-functional mic on ASUS E1504FA - io_uring/af_unix: disable sending io_uring over sockets (CVE-2023-6531) - nvme-pci: Add sleep quirk for Kingston drives - io_uring: fix mutex_unlock with unreferenced ctx - ALSA: usb-audio: Add Pioneer DJM-450 mixer controls - ALSA: pcm: fix out-of-bounds in snd_pcm_state_names - ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5 - ALSA: hda/realtek: add new Framework laptop to quirks - ALSA: hda/realtek: Add Framework laptop 16 to quirks - ring-buffer: Test last update in 32bit version of __rb_time_read() - nilfs2: fix missing error check for sb_set_blocksize call - nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage() - cgroup_freezer: cgroup_freezing: Check if not frozen - checkstack: fix printed address - tracing: Always update snapshot buffer size - tracing: Disable snapshot buffer when stopping instance tracers - tracing: Fix incomplete locking when disabling buffered events - tracing: Fix a possible race when disabling buffered events - packet: Move reference count in packet_sock to atomic_long_t - r8169: fix rtl8125b PAUSE frames blasting when suspended - regmap: fix bogus error on regcache_sync success - [x86] platform/surface: aggregator: fix recv_buf() return value - hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write - mm: fix oops when filemap_map_pmd() without prealloc_pte - md/raid6: use valid sector values to determine if an I/O should wait on the reshape - [arm*] binder: fix memory leaks of spam and pending work - [arm64] coresight: etm4x: Make etm4_remove_dev() return void - [arm64] coresight: etm4x: Remove bogous __exit annotation for some functions - hwtracing: hisi_ptt: Add dummy callback pmu::read() - [x86] misc: mei: client.c: return negative error code in mei_cl_write - [x86] misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write - ring-buffer: Force absolute timestamp on discard of event - tracing: Set actual size after ring buffer resize - tracing: Stop current tracer when resizing buffer - perf: Fix perf_event_validate_size() (CVE-2023-6931) - [x86] sev: Fix kernel crash due to late update to read-only ghcb_version - gpiolib: sysfs: Fix error handling on failed export - drm/amdgpu: fix memory overflow in the IB test - drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c - drm/amdgpu: correct the amdgpu runtime dereference usage count - drm/amdgpu: Update ras eeprom support for smu v13_0_0 and v13_0_10 - drm/amdgpu: Add EEPROM I2C address support for ip discovery - drm/amdgpu: Remove redundant I2C EEPROM address - drm/amdgpu: Decouple RAS EEPROM addresses from chips - drm/amdgpu: Add support for RAS table at 0x40000 - drm/amdgpu: Remove second moot switch to set EEPROM I2C address - drm/amdgpu: Return from switch early for EEPROM I2C address - drm/amdgpu: simplify amdgpu_ras_eeprom.c - drm/amdgpu: Add I2C EEPROM support on smu v13_0_6 - drm/amdgpu: Update EEPROM I2C address for smu v13_0_0 - usb: gadget: f_hid: fix report descriptor allocation - serial: 8250_dw: Add ACPI ID for Granite Rapids-D UART - parport: Add support for Brainboxes IX/UC/PX parallel cards - cifs: Fix non-availability of dedup breaking generic/304 - Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1" - smb: client: fix potential NULL deref in parse_dfs_referrals() - usb: typec: class: fix typec_altmode_put_partner to put plugs - [arm64,armhf] PL011: Fix DMA support - [arm64] serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit - [arm64] serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt - [arm64] serial: 8250_omap: Add earlycon support for the AM654 UART controller - devcoredump: Send uevent once devcd is ready - [x86] CPU/AMD: Check vendor in the AMD microcode callback - USB: gadget: core: adjust uevent timing on gadget unbind - cifs: Fix flushing, invalidation and file size with copy_file_range() - cifs: Fix flushing, invalidation and file size with FICLONE - [mips*] kernel: Clear FPU states when setting up kernel threads (Closes: #1055021) - [s390x] KVM: s390/mm: Properly reset no-dat - [x86] KVM: SVM: Update EFER software model on CR0 trap for SEV-ES - netfilter: nft_set_pipapo: skip inactive elements during set walk (CVE-2023-6817) - [x86] drm/i915/display: Drop check for doublescan mode in modevalid - [x86] drm/i915/lvds: Use REG_BIT() & co. - [x86] drm/i915/sdvo: stop caching has_hdmi_monitor in struct intel_sdvo - [x86] drm/i915: Skip some timing checks on BXT/GLK DSI transcoders https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.69 - [x86] perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table - r8152: add USB device driver for config selection - r8152: add vendor/device ID pair for D-Link DUB-E250 - r8152: add vendor/device ID pair for ASUS USB-C2500 - [powerpc*] ftrace: Fix stack teardown in ftrace_no_trace - ext4: fix warning in ext4_dio_write_end_io() - ksmbd: fix memory leak in smb2_lock() - afs: Fix refcount underflow from error handling race (Closes: #1052304) - HID: lenovo: Restrict detection of patched firmware only to USB cptkbd (Closes: #1058758) - net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work - net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX - bnxt_en: Clear resource reservation during resume - bnxt_en: Save ring error counters across reset - bnxt_en: Fix wrong return value check in bnxt_close_nic() - bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic - atm: solos-pci: Fix potential deadlock on &cli_queue_lock - atm: solos-pci: Fix potential deadlock on &tx_queue_lock - net: vlan: introduce skb_vlan_eth_hdr() - net: fec: correct queue selection - atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780) - net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782) - iavf: Introduce new state machines for flow director - iavf: Handle ntuple on/off based on new state machines for flow director - qed: Fix a potential use-after-free in qed_cxt_tables_alloc - net: Remove acked SYN flag from packet in the transmit queue correctly - net: ena: Destroy correct number of xdp queues upon failure - net: ena: Fix xdp drops handling due to multibuf packets - net: ena: Fix XDP redirection error - sign-file: Fix incorrect return values check - vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() - net: stmmac: Handle disabled MDIO busses from devicetree - appletalk: Fix Use-After-Free in atalk_ioctl (CVE-2023-51781) - net: atlantic: fix double free in ring reinit logic - cred: switch to using atomic_long_t - fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() - ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB - ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants - ALSA: hda/realtek: Apply mute LED quirk for HP15-db - Revert "PCI: acpiphp: Reassign resources on bridge if necessary" - [mips*] PCI: loongson: Limit MRRS to 256 (Closes: #1035587) - ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE - [x86] hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM - usb: aqc111: check packet for fixup for true limit - blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" - blk-cgroup: bypass blkcg_deactivate_policy after destroying - bcache: avoid oversize memory allocation by small stripe_size - bcache: remove redundant assignment to variable cur_idx - bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() - bcache: avoid NULL checking to c->root in run_cache_set() - nbd: fold nbd config initialization into nbd_alloc_config() - nvme-auth: set explanation code for failure2 msgs - nvme: catch errors from nvme_configure_metadata() - [x86] platform/x86: intel_telemetry: Fix kernel doc descriptions - HID: glorious: fix Glorious Model I HID report - HID: add ALWAYS_POLL quirk for Apple kb - nbd: pass nbd_sock to nbd_read_reply() instead of index - HID: hid-asus: reset the backlight brightness level on resume - HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad - asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation - net: usb: qmi_wwan: claim interface 4 for ZTE MF290 - [arm64] add dependency between vmlinuz.efi and Image - HID: hid-asus: add const to read-only outgoing usb buffer - perf: Fix perf_event_validate_size() lockdep splat - btrfs: do not allow non subvolume root targets for snapshot - soundwire: stream: fix NULL pointer dereference for multi_link - ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS - [arm64] mm: Always make sw-dirty PTEs hw-dirty in pte_modify - team: Fix use-after-free when an option instance allocation fails - drm/amdgpu/sdma5.2: add begin/end_use ring callbacks - dmaengine: stm32-dma: avoid bitfield overflow assertion - mm/mglru: fix underprotected page cache - mm/shmem: fix race in shmem_undo_range w/THP - btrfs: free qgroup reserve when ORDERED_IOERR is set - btrfs: don't clear qgroup reserved bit in release_folio - drm/amdgpu: fix tear down order in amdgpu_vm_pt_free - drm/amd/display: Disable PSR-SU on Parade 0803 TCON again - [x86] drm/i915: Fix remapped stride with CCS on ADL+ - smb: client: fix OOB in receive_encrypted_standard() - smb: client: fix NULL deref in asn1_ber_decoder() - smb: client: fix OOB in smb2_query_reparse_point() - ring-buffer: Fix memory leak of free page - tracing: Update snapshot buffer on resize if it is allocated - ring-buffer: Do not update before stamp when switching sub-buffers - ring-buffer: Have saved event hold the entire event - ring-buffer: Fix writing to the buffer with max_data_size - ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs - ring-buffer: Do not try to put back write_stamp - ring-buffer: Have rb_time_cmpxchg() set the msb counter too - net: tls, update curr on splice as well - r8152: avoid to change cfg for all devices - r8152: remove rtl_vendor_mode function - r8152: fix the autosuspend doesn't work . [ Salvatore Bonaccorso ] * Bump ABI to 17 * [rt] Update to 6.1.69-rt21 * [arm64] drivers/vfio: Don't enable VFIO_NOIOMMU. This is a breach of the integrity lockdown requirement of secure boot and thus cannot be enabled. Thanks to Bastian Blank and Ben Hutchings * Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg (CVE-2023-51779) * netfilter: nf_tables: skip set commit for deleted/destroyed sets * Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity" (Closes: #1059624) Checksums-Sha1: 853b2e26c5c7f9abc1f63a313ff6e022c20c2531 7455 linux-signed-arm64_6.1.69+1.dsc 33caafb1142f22f41a129bc9556316aa2dd423bb 2879220 linux-signed-arm64_6.1.69+1.tar.xz Checksums-Sha256: 7d51697a52023f5acf8aaa47b57004fd07d68041b0bb031cdfa53592482c9acc 7455 linux-signed-arm64_6.1.69+1.dsc 01e8b467301ec5be59f4943cbbc91d07e29f0efe12285dae2f104a2263f3ecc5 2879220 linux-signed-arm64_6.1.69+1.tar.xz Files: 57d2954404d143d6fe5b8fa7c5c0e5c6 7455 kernel optional linux-signed-arm64_6.1.69+1.dsc 2a278d9cebe74826cc7cbe10cafe69d8 2879220 kernel optional linux-signed-arm64_6.1.69+1.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfKFfvHEI+gkU+E+di0FRiLdONzYFAmWRccUACgkQi0FRiLdO NzaHLA/+LVrHJorsJN2LzehrFCV02bbrlG15tojA8gKDYrddCZoVI1VlCm4R/NMV mVgl/1ZijhAb361fTmV0KqslTcrMqT9EiafPa2qnOUf+opz4pW4pjT3TSGkW38tj kWDmQghdLNjES9idO7K8PnBo5P6L3MFrvPf+o/HrCod21J8vPV6kTnNd9iIFBqrF USTgQYas4ouZAkk1O2StVJiKh918wnK76BwHfUOxMzMoFUJwobDhN3EPVZcMQJcX 0lrBmpnCkR6uMrp3dGMAT6449m3ml0npYt7hH/ytzErS7ptDeCuuHqoLsnnzrjRe twCYCUA2nW7NWyr/hRiJ5r8zZt42+kRLv0b+WqgvRf0aJFbdD+fxYp2HFylEkCEN HdpICVkp55XEeh+oK+kjO+OYU/+iYMJv9RmSg0GovGino7z/inm9o5UAfY4AguBh Sd9aBumgVD8klNIxUbZ8UpRTrNa3W6hJSxJm1OFASkBf3I8ZNult13UHudztJXhf 8Gi2dCv3e662n9iOW233QgsqHH6pnO7x5x4+AbvyD0emj2BkNvOAUqXaypOJg9wd jecMecZbTk8gmIXR4Op90Pcrc1/jojFHJcOX1Uv3nv4d4BjF0Y4c8lVaD5Shdgrv 8b7iXEf9DAXnZ5CXP5D7LnmryrSJFao8SPNcf2S109mF+eEckj4= =/sIT -----END PGP SIGNATURE-----