-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 30 Dec 2023 10:31:20 +0100 Source: linux Architecture: source Version: 6.1.69-1 Distribution: bookworm-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 1035587 1052304 1055021 1058758 1059624 Changes: linux (6.1.69-1) bookworm-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.68 - hrtimers: Push pending hrtimers away from outgoing CPU earlier - i2c: designware: Fix corrupted memory seen in the ISR - netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test - tg3: Move the [rt]x_dropped counters to tg3_napi - tg3: Increment tx_dropped in tg3_tso_bug() - kconfig: fix memory leak from range properties - drm/amdgpu: correct chunk_ptr to a pointer to chunk. - [x86] Introduce ia32_enabled() - [amd64] x86/coco: Disable 32-bit emulation by default on TDX and SEV - [x86] entry: Convert INT 0x80 emulation to IDTENTRY - [x86] entry: Do not allow external 0x80 interrupts - [x86] tdx: Allow 32-bit emulation by default - [x86] platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi code - [powerpc*] of: dynamic: Fix of_reconfig_get_state_change() return value documentation - [x86] platform/x86: wmi: Skip blocks with zero instances - ipv6: fix potential NULL deref in fib6_add() - hv_netvsc: rndis_filter needs to select NLS - r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE - r8152: Add RTL8152_INACCESSIBLE checks to more loops - r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash() - r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1() - r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en() - arcnet: restoring support for multiple Sohard Arcnet cards - net: stmmac: fix FPE events losing - xsk: Skip polling event check for unbound socket - i40e: Fix unexpected MFS warning message - iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero - net: bnxt: fix a potential use-after-free in bnxt_init_tc - tcp: fix mid stream window clamp. - ionic: fix snprintf format length warning - ionic: Fix dim work handling in split interrupt mode - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() - net: atlantic: Fix NULL dereference of skb pointer in - [arm64] net: hns: fix wrong head when modify the tx feature when sending packets - [arm64] net: hns: fix fake link up on xge port - netfilter: nft_exthdr: add boolean DCCP option matching - netfilter: nf_tables: fix 'exist' matching on bigendian arches - netfilter: nf_tables: bail out on mismatching dynset and set expressions (CVE-2023-6622) - netfilter: nf_tables: validate family when identifying table via handle - netfilter: xt_owner: Fix for unsafe access of sk->sk_socket - tcp: do not accept ACK of bytes we never sent - bpf: sockmap, updating the sg structure should also update curr - psample: Require 'CAP_NET_ADMIN' when joining "packets" group - drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group - [arm64] tee: optee: Fix supplicant based device enumeration - [arm64] RDMA/hns: Fix unnecessary err return when using invalid congest control algorithm - RDMA/irdma: Do not modify to SQD on error - RDMA/irdma: Add wait for suspend on SQD - [arm64] ASoC: fsl_sai: Fix no frame sync clock issue on i.MX8MP - RDMA/irdma: Refactor error handling in create CQP - RDMA/irdma: Fix UAF in irdma_sc_ccq_get_cqe_info() - [x86] hwmon: (acpi_power_meter) Fix 4.29 MW bug - [x86] ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate - RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz - RDMA/irdma: Avoid free the non-cqp_request scratch - [arm64] dts: imx8mq: drop usb3-resume-missing-cas from usb - [arm64] dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3 - tracing: Fix a warning when allocating buffered events fails - scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle() - [armhf] imx: Check return value of devm_kasprintf in imx_mmdc_perf_init - md: introduce md_ro_state - md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly() - iommu: Avoid more races around device probe - [x86] rethook: Use __rcu pointer for rethook::handler - kprobes: consistent rcu api usage for kretprobe holder - [x86] ASoC: amd: yc: Fix non-functional mic on ASUS E1504FA - io_uring/af_unix: disable sending io_uring over sockets (CVE-2023-6531) - nvme-pci: Add sleep quirk for Kingston drives - io_uring: fix mutex_unlock with unreferenced ctx - ALSA: usb-audio: Add Pioneer DJM-450 mixer controls - ALSA: pcm: fix out-of-bounds in snd_pcm_state_names - ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5 - ALSA: hda/realtek: add new Framework laptop to quirks - ALSA: hda/realtek: Add Framework laptop 16 to quirks - ring-buffer: Test last update in 32bit version of __rb_time_read() - nilfs2: fix missing error check for sb_set_blocksize call - nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage() - cgroup_freezer: cgroup_freezing: Check if not frozen - checkstack: fix printed address - tracing: Always update snapshot buffer size - tracing: Disable snapshot buffer when stopping instance tracers - tracing: Fix incomplete locking when disabling buffered events - tracing: Fix a possible race when disabling buffered events - packet: Move reference count in packet_sock to atomic_long_t - r8169: fix rtl8125b PAUSE frames blasting when suspended - regmap: fix bogus error on regcache_sync success - [x86] platform/surface: aggregator: fix recv_buf() return value - hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write - mm: fix oops when filemap_map_pmd() without prealloc_pte - md/raid6: use valid sector values to determine if an I/O should wait on the reshape - [arm*] binder: fix memory leaks of spam and pending work - [arm64] coresight: etm4x: Make etm4_remove_dev() return void - [arm64] coresight: etm4x: Remove bogous __exit annotation for some functions - hwtracing: hisi_ptt: Add dummy callback pmu::read() - [x86] misc: mei: client.c: return negative error code in mei_cl_write - [x86] misc: mei: client.c: fix problem of return '-EOVERFLOW' in mei_cl_write - ring-buffer: Force absolute timestamp on discard of event - tracing: Set actual size after ring buffer resize - tracing: Stop current tracer when resizing buffer - perf: Fix perf_event_validate_size() (CVE-2023-6931) - [x86] sev: Fix kernel crash due to late update to read-only ghcb_version - gpiolib: sysfs: Fix error handling on failed export - drm/amdgpu: fix memory overflow in the IB test - drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c - drm/amdgpu: correct the amdgpu runtime dereference usage count - drm/amdgpu: Update ras eeprom support for smu v13_0_0 and v13_0_10 - drm/amdgpu: Add EEPROM I2C address support for ip discovery - drm/amdgpu: Remove redundant I2C EEPROM address - drm/amdgpu: Decouple RAS EEPROM addresses from chips - drm/amdgpu: Add support for RAS table at 0x40000 - drm/amdgpu: Remove second moot switch to set EEPROM I2C address - drm/amdgpu: Return from switch early for EEPROM I2C address - drm/amdgpu: simplify amdgpu_ras_eeprom.c - drm/amdgpu: Add I2C EEPROM support on smu v13_0_6 - drm/amdgpu: Update EEPROM I2C address for smu v13_0_0 - usb: gadget: f_hid: fix report descriptor allocation - serial: 8250_dw: Add ACPI ID for Granite Rapids-D UART - parport: Add support for Brainboxes IX/UC/PX parallel cards - cifs: Fix non-availability of dedup breaking generic/304 - Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1" - smb: client: fix potential NULL deref in parse_dfs_referrals() - usb: typec: class: fix typec_altmode_put_partner to put plugs - [arm64,armhf] PL011: Fix DMA support - [arm64] serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit - [arm64] serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt - [arm64] serial: 8250_omap: Add earlycon support for the AM654 UART controller - devcoredump: Send uevent once devcd is ready - [x86] CPU/AMD: Check vendor in the AMD microcode callback - USB: gadget: core: adjust uevent timing on gadget unbind - cifs: Fix flushing, invalidation and file size with copy_file_range() - cifs: Fix flushing, invalidation and file size with FICLONE - [mips*] kernel: Clear FPU states when setting up kernel threads (Closes: #1055021) - [s390x] KVM: s390/mm: Properly reset no-dat - [x86] KVM: SVM: Update EFER software model on CR0 trap for SEV-ES - netfilter: nft_set_pipapo: skip inactive elements during set walk (CVE-2023-6817) - [x86] drm/i915/display: Drop check for doublescan mode in modevalid - [x86] drm/i915/lvds: Use REG_BIT() & co. - [x86] drm/i915/sdvo: stop caching has_hdmi_monitor in struct intel_sdvo - [x86] drm/i915: Skip some timing checks on BXT/GLK DSI transcoders https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.69 - [x86] perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table - r8152: add USB device driver for config selection - r8152: add vendor/device ID pair for D-Link DUB-E250 - r8152: add vendor/device ID pair for ASUS USB-C2500 - [powerpc*] ftrace: Fix stack teardown in ftrace_no_trace - ext4: fix warning in ext4_dio_write_end_io() - ksmbd: fix memory leak in smb2_lock() - afs: Fix refcount underflow from error handling race (Closes: #1052304) - HID: lenovo: Restrict detection of patched firmware only to USB cptkbd (Closes: #1058758) - net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work - net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX - bnxt_en: Clear resource reservation during resume - bnxt_en: Save ring error counters across reset - bnxt_en: Fix wrong return value check in bnxt_close_nic() - bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic - atm: solos-pci: Fix potential deadlock on &cli_queue_lock - atm: solos-pci: Fix potential deadlock on &tx_queue_lock - net: vlan: introduce skb_vlan_eth_hdr() - net: fec: correct queue selection - atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780) - net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782) - iavf: Introduce new state machines for flow director - iavf: Handle ntuple on/off based on new state machines for flow director - qed: Fix a potential use-after-free in qed_cxt_tables_alloc - net: Remove acked SYN flag from packet in the transmit queue correctly - net: ena: Destroy correct number of xdp queues upon failure - net: ena: Fix xdp drops handling due to multibuf packets - net: ena: Fix XDP redirection error - sign-file: Fix incorrect return values check - vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() - net: stmmac: Handle disabled MDIO busses from devicetree - appletalk: Fix Use-After-Free in atalk_ioctl (CVE-2023-51781) - net: atlantic: fix double free in ring reinit logic - cred: switch to using atomic_long_t - fuse: dax: set fc->dax to NULL in fuse_dax_conn_free() - ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB - ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants - ALSA: hda/realtek: Apply mute LED quirk for HP15-db - Revert "PCI: acpiphp: Reassign resources on bridge if necessary" - [mips*] PCI: loongson: Limit MRRS to 256 (Closes: #1035587) - ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE - [x86] hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM - usb: aqc111: check packet for fixup for true limit - blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" - blk-cgroup: bypass blkcg_deactivate_policy after destroying - bcache: avoid oversize memory allocation by small stripe_size - bcache: remove redundant assignment to variable cur_idx - bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() - bcache: avoid NULL checking to c->root in run_cache_set() - nbd: fold nbd config initialization into nbd_alloc_config() - nvme-auth: set explanation code for failure2 msgs - nvme: catch errors from nvme_configure_metadata() - [x86] platform/x86: intel_telemetry: Fix kernel doc descriptions - HID: glorious: fix Glorious Model I HID report - HID: add ALWAYS_POLL quirk for Apple kb - nbd: pass nbd_sock to nbd_read_reply() instead of index - HID: hid-asus: reset the backlight brightness level on resume - HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad - asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation - net: usb: qmi_wwan: claim interface 4 for ZTE MF290 - [arm64] add dependency between vmlinuz.efi and Image - HID: hid-asus: add const to read-only outgoing usb buffer - perf: Fix perf_event_validate_size() lockdep splat - btrfs: do not allow non subvolume root targets for snapshot - soundwire: stream: fix NULL pointer dereference for multi_link - ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS - [arm64] mm: Always make sw-dirty PTEs hw-dirty in pte_modify - team: Fix use-after-free when an option instance allocation fails - drm/amdgpu/sdma5.2: add begin/end_use ring callbacks - dmaengine: stm32-dma: avoid bitfield overflow assertion - mm/mglru: fix underprotected page cache - mm/shmem: fix race in shmem_undo_range w/THP - btrfs: free qgroup reserve when ORDERED_IOERR is set - btrfs: don't clear qgroup reserved bit in release_folio - drm/amdgpu: fix tear down order in amdgpu_vm_pt_free - drm/amd/display: Disable PSR-SU on Parade 0803 TCON again - [x86] drm/i915: Fix remapped stride with CCS on ADL+ - smb: client: fix OOB in receive_encrypted_standard() - smb: client: fix NULL deref in asn1_ber_decoder() - smb: client: fix OOB in smb2_query_reparse_point() - ring-buffer: Fix memory leak of free page - tracing: Update snapshot buffer on resize if it is allocated - ring-buffer: Do not update before stamp when switching sub-buffers - ring-buffer: Have saved event hold the entire event - ring-buffer: Fix writing to the buffer with max_data_size - ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs - ring-buffer: Do not try to put back write_stamp - ring-buffer: Have rb_time_cmpxchg() set the msb counter too - net: tls, update curr on splice as well - r8152: avoid to change cfg for all devices - r8152: remove rtl_vendor_mode function - r8152: fix the autosuspend doesn't work . [ Salvatore Bonaccorso ] * Bump ABI to 17 * [rt] Update to 6.1.69-rt21 * [arm64] drivers/vfio: Don't enable VFIO_NOIOMMU. This is a breach of the integrity lockdown requirement of secure boot and thus cannot be enabled. Thanks to Bastian Blank and Ben Hutchings * Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg (CVE-2023-51779) * netfilter: nf_tables: skip set commit for deleted/destroyed sets * Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity" (Closes: #1059624) Checksums-Sha1: 97b8255fde753811d8f029a73ec4a03ae05d4363 290924 linux_6.1.69-1.dsc ab2ef068faf43ae20020165065571c8cb1a14111 137507972 linux_6.1.69.orig.tar.xz d965c531dd3edcca299b12ed2f02093a7e27b81b 1586832 linux_6.1.69-1.debian.tar.xz 3092fbb92e1e5f8bf2127e4a311426fe84ec1037 7066 linux_6.1.69-1_source.buildinfo Checksums-Sha256: eff66c55a2e6a56cf37ff8c06fb830740ba2ff869dc51b98e789acf702487c91 290924 linux_6.1.69-1.dsc b0a5f7285bffe9f0b7eca2675fe097fd4aeec1bac6d31b76239ba718d3b4fc02 137507972 linux_6.1.69.orig.tar.xz 6ccc5bc6a11a5e592b396702c9975b56c7fd7e758322180927e0acf07c884370 1586832 linux_6.1.69-1.debian.tar.xz 61aafe85f00121acaec649a59e6633fc5823800164e239c0c47a994c9bc27da5 7066 linux_6.1.69-1_source.buildinfo Files: 148ceb8c54c9778cac65a68de6d3a92a 290924 kernel optional linux_6.1.69-1.dsc b31060ed820825da2ff064b3fac3740c 137507972 kernel optional linux_6.1.69.orig.tar.xz 7c74ee5a24913c31cdc7a89be868fbab 1586832 kernel optional linux_6.1.69-1.debian.tar.xz dcd03738d64dca61a76490a9fb7669b2 7066 kernel optional linux_6.1.69-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWP4+xfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EMiMP/jzSaI7MQ0Pe1QijS6WTC4ej4v9qWebx 0n4vWTQ2zNefe+YVoZK/uzGNBuZ4cD00TeVrc7zvadU84t+4uDP7Cxap22M7m+8P zhUti3xnESn800EgqLyujlbM/DF8JCTH66AUZkruQSLe3Gf4Nc2RDvPcnbMzDqb+ 1Zod0GVCDevFPA8uQ80gv6yWfu4nHDt74kwn/3gRGM6Z97IooNBqclJltP3sMeUO aWucSGbFh8SMHbkrR7PXyTxOepHNqIrZ4LWLOeRFRUNgRmr3mPDj/Bi0wnRkMVRP B5tzzaV+/WyTGWrUdsi3LJbk/YUwV54LpponQVmBmT7Pc2SV/7MeA9/aTIqypIoQ S/U8UEmE9nl+I42wJZtY5FWtQQtuYTdweAuujyRQvW4ynnFVi1oSya8jfLgCHK8L 0tGU+I8vShUv0+BYG0z+YX1Erwr9qYf+UlX33tfAX0VZfhwVF0XjSXWLLzqrIwb3 1YtlhH+c2b0vDxMbvRtH3DOqXaVvIcnMVmCABiE/4OSqy6zLs0HqkUGuS2mnIJCN bAxWGlsKwEPU0nK+SFm3UFfzR3qQFeN2+KOpE9I+h+ZbWXWE4x57HK/X/phHNEtX ojSzkYO1HIdmqFd/uIxpB07m8+bh+W25w0mlCrv22NoMNSkatMjpOHkfVnSC61cG WwPxmAp+wITQ =QUTV -----END PGP SIGNATURE-----