-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 10 Aug 2024 08:09:03 +0200 Source: linux Architecture: source Version: 5.10.223-1 Distribution: bullseye-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Salvatore Bonaccorso <carnil@debian.org> Closes: 1076864 Changes: linux (5.10.223-1) bullseye-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.222 - Compiler Attributes: Add __uninitialized macro - [arm64,armhf] drm/lima: fix shared irq handling on driver remove - media: dvb: as102-fe: Fix as10x_register_addr packing - media: dvb-usb: dib0700_devices: Add missing release_firmware() - IB/core: Implement a limit on UMAD receive List - scsi: qedf: Make qedf_execute_tmf() non-preemptible - crypto: aead,cipher - zeroize key buffer after use - drm/amdgpu: Initialize timestamp for some legacy SOCs - drm/amd/display: Check index msg_id before read or write - drm/amd/display: Check pipe offset before setting vblank - drm/amd/display: Skip finding free audio for unknown engine_id - media: dw2102: Don't translate i2c read into write - sctp: prefer struct_size over open coded arithmetic - firmware: dmi: Stop decoding on broken entry - Input: ff-core - prefer struct_size over open coded arithmetic - [arm64,armhf] net: dsa: mv88e6xxx: Correct check for empty list - media: dvb-frontends: tda18271c2dd: Remove casting during div - media: s2255: Use refcount_t instead of atomic_t for num_channels - media: dvb-frontends: tda10048: Fix integer overflow - i2c: i801: Annotate apanel_addr as __ro_after_init - [powerpc*] 64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n - orangefs: fix out-of-bounds fsid access - kunit: Fix timeout message - [powerpc*] xmon: Check cpu id in commands "c#", "dp#" and "dx#" - bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD - jffs2: Fix potential illegal address access in jffs2_free_inode - [s390x] pkey: Wipe sensitive data on failure - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() - tcp_metrics: validate source addr length - wifi: wilc1000: fix ies_len type in connect path - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() (CVE-2024-39487) - inet_diag: Initialize pad field in struct inet_diag_req_v2 - nilfs2: fix inode number range checks - nilfs2: add missing check for inode numbers on directory entries - mm: optimize the redundant loop of mm_update_owner_next() - mm: avoid overflows in dirty throttling logic - Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct - fsnotify: Do not generate events for O_PATH file descriptors - Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes - drm/amdgpu/atomfirmware: silence UBSAN warning - mtd: rawnand: Bypass a couple of sanity checks during NAND identification - bnx2x: Fix multiple UBSAN array-index-out-of-bounds - bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues - ima: Avoid blocking in RCU read-side critical section (CVE-2024-40947) - media: dw2102: fix a potential buffer overflow - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 - nvme-multipath: find NUMA path only for online numa-node - nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset - [x86] platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet - [x86] platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro - nvmet: fix a possible leak when destroy a ctrl during qp establishment - kbuild: fix short log for AS in link-vmlinux.sh - nilfs2: fix incorrect inode allocation from reserved inodes - mm: prevent derefencing NULL ptr in pfn_section_valid() - filelock: fix potential use-after-free in posix_lock_inode - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading - vfs: don't mod negative dentry count when on shrinker list - tcp: fix incorrect undo caused by DSACK of TLP retransmit - net: lantiq_etop: add blank line after declaration - net: ethernet: lantiq_etop: fix double free in detach - ppp: reject claimed-as-LCP but actually malformed packets - ethtool: netlink: do not return SQI value if link is down - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). - net/sched: Fix UAF when resolving a clash - [s390x] Mark psw in __load_psw_mask() as __unitialized - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() - tcp: avoid too many retransmit packets (CVE-2024-41007) - net: ks8851: Fix potential TX stall after interface reopen - USB: serial: option: add Telit generic core-dump composition - USB: serial: option: add Telit FN912 rmnet compositions - USB: serial: option: add Fibocom FM350-GL - USB: serial: option: add support for Foxconn T99W651 - USB: serial: option: add Netprisma LCUK54 series modules - USB: serial: option: add Rolling RW350-GL variants - USB: serial: mos7840: fix crash on resume - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor - hpet: Support 32-bit userspace - nvmem: meson-efuse: Fix return value of nvmem callbacks - ALSA: hda/realtek: Enable Mute LED on HP 250 G7 - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX - libceph: fix race between delayed_work() and ceph_monc_stop() - wireguard: allowedips: avoid unaligned 64-bit memory accesses - wireguard: queueing: annotate intentional data race in cpu round robin - wireguard: send: annotate intentional data race in checking empty queue - x86/retpoline: Move a NOENDBR annotation to the SRSO dummy return thunk - ipv6: annotate data-races around cnf.disable_ipv6 - ipv6: prevent NULL dereference in ip6_output() (CVE-2024-36901) - bpf: Allow reads from uninit stack - nilfs2: fix kernel bug on rename operation of broken directory - i2c: mark HostNotify target address as used https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.223 - gcc-plugins: Rename last_stmt() for GCC 14+ - filelock: Remove locks reliably when fcntl/close race is detected (CVE-2024-41012) - scsi: qedf: Set qed_slowpath_params to zero before use - ACPI: EC: Abort address space access upon error - ACPI: EC: Avoid returning AE_OK on errors in address space handler - wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata - wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() - Input: silead - Always support 10 fingers - net: ipv6: rpl_iptunnel: block BH in rpl_output() and rpl_input() - ila: block BH in ila_output() - [arm64] armv8_deprecated: Fix warning in isndep cpuhp starting process - null_blk: fix validation of block size - kconfig: gconf: give a proper initial state to the Save button - kconfig: remove wrong expr_trans_bool() - fs/file: fix the check in find_next_fd() - mei: demote client disconnect warning on suspend to debug - wifi: cfg80211: wext: add extra SIOCSIWSCAN data check - [powerpc*] KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() - ALSA: hda/realtek: Add more codec ID to no shutup pins list - [mips*] fix compat_sys_lseek syscall - Input: elantech - fix touchpad state on resume for Lenovo N24 - Input: i8042 - add Ayaneo Kun to i8042 quirk table - [x86] bytcr_rt5640 : inverse jack detect for Archos 101 cesium - [arm*] ALSA: dmaengine: Synchronize dma channel after drop() - [armhf] ASoC: ti: davinci-mcasp: Set min period size using FIFO config - can: kvaser_usb: fix return value for hif_usb_send_regout - [s390x] sclp: Fix sclp_init() cleanup on failure - btrfs: qgroup: fix quota root leak after quota disable failure - ALSA: hda/relatek: Enable Mute LED on HP Laptop 15-gw0xxx - ALSA: dmaengine_pcm: terminate dmaengine before synchronize - net: usb: qmi_wwan: add Telit FN912 compositions - net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() - [powerpc*] pseries: Whitelist dtl slub object for copying to userspace - [powerpc*] eeh: avoid possible crash when edev->pdev changes - scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed - Bluetooth: hci_core: cancel all works upon hci_unregister_dev() - fs: better handle deep ancestor chains in is_subdir() - spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices - hfsplus: fix uninit-value in copy_name - spi: mux: set ctlr->bits_per_word_mask - [arm*] 9324/1: fix get_user() broken with veneer - ACPI: processor_idle: Fix invalid comparison with insertion sort for latency - bpf: Fix overrunning reservations in ringbuf (CVE-2024-41009) - bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue (CVE-2024-36938) - scsi: core: Fix a use-after-free (CVE-2022-48666) - ext4: fix error code saved on super block during file system abort - ext4: Send notifications on error - drm/amdgpu: Fix signedness bug in sdma_v4_0_process_trap_irq() - net: relax socket state check at accept time. (CVE-2024-36484) - ocfs2: add bounds checking to ocfs2_check_dir_entry() - jfs: don't walk off the end of ealist - ALSA: hda/realtek: Enable headset mic on Positivo SU C1400 - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 - [arm64] dts: qcom: msm8996: Disable SS instance in Parkmode for USB - [arm*] ALSA: pcm_dmaengine: Don't synchronize DMA channel when DMA is paused - filelock: Fix fcntl/close race recovery compat path - tun: add missing verification for short frame (CVE-2024-41091) - tap: add missing verification for short frame (CVE-2024-41090) . [ Salvatore Bonaccorso ] * Bump ABI to 32 * fs/nfsd: Enable NFSD_V2 and NFSD_V2_ACL. Re-enable lost NFSv2 kernel support due to upstream backporting of 2f3a4b2ac2f2 ("nfsd: allow disabling NFSv2 at compile time") in 5.10.220. (Closes: #1076864) * netfilter: ipset: Add list flush to cancel_gc Checksums-Sha1: 40a9c3f01f5047ac8ca793600f63bba23956ea10 205889 linux_5.10.223-1.dsc 1ad9be53a402dd20c993bd5446d012c6354705fa 122005648 linux_5.10.223.orig.tar.xz 67df9bce4200f84f09c9831f7b9384a3004e5cd7 1689720 linux_5.10.223-1.debian.tar.xz 7653b004260fb4d15120c0bccf403fba8d999a22 7066 linux_5.10.223-1_source.buildinfo Checksums-Sha256: 2ebc7615c9b29e6e2ed1493743c2748cbf1f83816e8b44e2f2356d1245b8d90d 205889 linux_5.10.223-1.dsc 5272175427d036677539b9ef88a6bc30e455aca2d4fe9a942b2926ef7967ad20 122005648 linux_5.10.223.orig.tar.xz 007c93dd48234adf1fb9b2a69737e4aea4a13978d51ebd82ae56300673d28fb5 1689720 linux_5.10.223-1.debian.tar.xz fa1bf911dcd6a8985b097e5f2002ea83c0bb96eb9d37504dca5bb1e80786cc12 7066 linux_5.10.223-1_source.buildinfo Files: 978afd341791d475a77abf6713a89df1 205889 kernel optional linux_5.10.223-1.dsc 28757c6c8425047e9bcff61b34787a8f 122005648 kernel optional linux_5.10.223.orig.tar.xz e9b4fa38b75ca5c494bf3381844351a1 1689720 kernel optional linux_5.10.223-1.debian.tar.xz 7bd1dea7260aead8bfcf2f1b323b3a25 7066 kernel optional linux_5.10.223-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAma3BIVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EscMP/3SmhllZaITprJq04WtPp643NfY6hb+d zk7WcKTok9WGsIARvBqKCP241CvTAPEUqgIzsQohvLYnnuemM2zZqLLqmhAgsbBk 9pP3gI13eZ0vGTnj3S4z8fkaKg6VUfV9DE6JDA3qEKoTtVxcd2DJ/OXG1hriD8Iu gQf9vrZFjXo0MMV9li2zlNWy8965fY2FfU97PivJZj6LQYpsJpz+vTn2WOTPogKA ZxafpLVaIqAgOHvqWPdfuEJmz0c1/vrrr2WRkJ/lD8TTniHLkXn2F369ZsaY0ou0 isU68OfnyFd9TA4QoNYhNs/yMPBD0JnVCuR74YLpE1IklxXweEbx3IklWcgRhV0t iS6vFjDweSL3AbIxZ3kuVnSJtN/DloNC1q4p/OfVaVr+bIZcWIE4znMSSnyf9dNt uDNRI0lo8u/PJgRE+XrWCRbzyfPWy6x7iRRwJRLRN6YMOLpDSqfOfTin76YYAYUc KD43Es6IbNJDkMA3YqM33mIdiZlxkxrQZFGNcOSlXLNtvol08w4/Q1+67Dzyrh/8 30Y1HufWkCWdmWu4ZRGbu54W3GgxlunHXl5y1Ue/MlNgzxxGu0xGdWElxJPMwq2I 3R4i/NDukJDf9uvsi2FCHhL4bEGwOZL7l7INYkwftuVkCKOXnCs6cZIhbPoxNbll idn4y0gB8p6y =wlB3 -----END PGP SIGNATURE-----