-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 03 Oct 2024 23:58:46 +0200 Source: linux Architecture: source Version: 5.10.226-1 Distribution: bullseye-security Urgency: high Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Changed-By: Ben Hutchings <benh@debian.org> Changes: linux (5.10.226-1) bullseye-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.224 - [amd64] EDAC/skx_common: Add new ADXL components for 2-level memory - [amd64] EDAC, i10nm: make skx_common.o a separate module - [arm64] platform/chrome: cros_ec_debugfs: fix wrong EC message version - hfsplus: fix to avoid false alarm of circular locking - [i386] of: Return consistent error type from x86_of_pci_irq_enable() - [x86] pci/xen: Fix PCIBIOS_* return code handling - [x86] platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos - hwmon: (adt7475) Fix default duty on fan is disabled - [arm64] dts: qcom: msm8996: specify UFS core_clk frequencies - [arm*] soc: qcom: pdr: protect locator_addr with the main mutex (CVE-2024-43849) - [arm64] dts: rockchip: Increase VOP clk rate on RK3328 - [arm64] dts: amlogic: gx: correct hdmi clocks - [arm64] firmware: turris-mox-rwtm: Fix checking return value of wait_for_completion_timeout() - [arm64] firmware: turris-mox-rwtm: Initialize completion before mailbox - wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device - net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP - net/smc: Allow SMC-D 1MB DMB allocations - net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined - lib: objagg: Fix general protection fault (CVE-2024-43846) - mlxsw: spectrum_acl_erp: Fix object nesting warning (CVE-2024-43880) - ath11k: dp: stop rx pktlog before suspend - wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers - wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he() - wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() (CVE-2024-43879) - [arm*] net: fec: Refactor: #define magic constants - [arm*] net: fec: Fix FEC_ECR_EN1588 being cleared on link-down - ipvs: Avoid unnecessary calls to skb_is_gso_sctp - netfilter: nf_tables: rise cap on SELinux secmark context - [x86] perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation - perf: Fix perf_aux_size() for greater-than 32-bit size - perf: Prevent passing zero nr_pages to rb_alloc_aux() - qed: Improve the stack space of filter_config() - wifi: virt_wifi: avoid reporting connection success with wrong SSID (CVE-2024-43841) - gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey - bna: adjust 'name' buf size of bna_tcb and bna_ccb structures (CVE-2024-43839) - xdp: fix invalid wait context of page_pool_destroy() (CVE-2024-43834) - media: imon: Fix race getting ictx->lock - saa7134: Unchecked i2c_transfer function result fixed - media: uvcvideo: Allow entity-defined get_info and get_cur - media: uvcvideo: Override default flags - leds: trigger: Unregister sysfs attributes before calling deactivate() (CVE-2024-43830) - perf report: Fix condition in sort__sym_cmp() - [armhf] drm/etnaviv: fix DMA direction handling for cached RW buffers - drm/qxl: Add check for drm_cvt_mode (CVE-2024-43829) - Revert "leds: led-core: Fix refcount leak in of_led_get()" (regression in 5.10.173) - ext4: fix infinite loop when replaying fast_commit (CVE-2024-43828) - [arm64] media: venus: flush all buffers in output plane streamoff - [armhf] mfd: omap-usb-tll: Use struct_size to allocate tll - xprtrdma: Rename frwr_release_mr() - xprtrdma: Fix rpcrdma_reqs_reset() - SUNRPC: avoid soft lockup when transmitting UDP to reachable server. - ext4: avoid writing unitialized memory to disk in EA inodes - SUNRPC: Fixup gss_status tracepoint error output - PCI: Fix resource double counting on remove & rescan - RDMA/mlx4: Fix truncated output warning in mad.c - RDMA/mlx4: Fix truncated output warning in alias_GUID.c - RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs - RDMA/device: Return error earlier if port in not valid - Input: elan_i2c - do not leave interrupt disabled on suspend failure - [arm64] RDMA/hns: Fix missing pagesize and alignment check in FRMR - netfilter: ctnetlink: use helper function to calculate expect ID (CVE-2024-44944) - [arm*] net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU ports - [armhf] net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports - [arm*] pinctrl: rockchip: update rk3308 iomux routes - pinctrl: core: fix possible memory leak when pinctrl_enable() fails - pinctrl: single: fix possible memory leak when pinctrl_enable() fails - [armhf] pinctrl: ti: ti-iodelay: Drop if block with always false condition - [armhf] pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails - fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP - nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro - rtc: interface: Add RTC offset to alarm after fix-up - tick/broadcast: Make takeover of broadcast hrtimer reliable - net: netconsole: Disable target before netpoll cleanup - af_packet: Handle outgoing VLAN packets without hardware offloading - ipv6: take care of scope when choosing the src addr - sched/fair: set_load_weight() must also call reweight_task() for SCHED_IDLE tasks - char: tpm: Fix possible memory leak in tpm_bios_measurements_open() - [arm64] media: venus: fix use after free in vdec_close (CVE-2024-42313) - hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() (CVE-2024-42311) - ext2: Verify bitmap and itable block numbers before using them - [x86] drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes (CVE-2024-42310) - [x86] drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes (CVE-2024-42309) - scsi: qla2xxx: Fix optrom version displayed in FDMI - drm/amd/display: Check for NULL pointer (CVE-2024-42308) - sched/fair: Use all little CPUs for CPU-bound workloads - apparmor: use kvfree_sensitive to free data->data - task_work: s/task_work_cancel()/task_work_cancel_func()/ - task_work: Introduce task_work_cancel() again - udf: Avoid using corrupted block bitmap buffer (CVE-2024-42306) - ext4: check dot and dotdot of dx_root before making dir indexed (CVE-2024-42305) - ext4: make sure the first directory block is not a hole (CVE-2024-42304) - wifi: mwifiex: Fix interface type change - [x86] leds: ss4200: Convert PCIBIOS_* return codes to errnos - jbd2: make jbd2_journal_get_max_txn_bufs() internal - [x86] KVM: VMX: Split out the non-virtualization part of vmx_interrupt_blocked() - [x86] hwrng: amd - Convert PCIBIOS_* return codes to errnos - [amd64] PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN - [arm64] PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio - binder: fix hang of unregistered readers - dev/parport: fix the array out-of-bounds risk (CVE-2024-42301) - scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds - f2fs: fix to don't dirty inode for readonly filesystem (CVE-2024-42297) - ubi: eba: properly rollback inside self_check_eba - decompress_bunzip2: fix rare decompression failure - kobject_uevent: Fix OOB access within zap_modalias_env() (CVE-2024-42292) - devres: Fix devm_krealloc() wasting memory - rtc: cmos: Fix return value of nvmem callbacks - scsi: qla2xxx: During vport delete send async logout explicitly (CVE-2024-42289) - scsi: qla2xxx: Fix for possible memory corruption (CVE-2024-42288) - scsi: qla2xxx: Fix flash read failure - scsi: qla2xxx: Complete command early within lock (CVE-2024-42287) - scsi: qla2xxx: validate nvme_local_port correctly (CVE-2024-42286) - [x86] perf/x86/intel/pt: Fix topa_entry base length - [x86] perf/x86/intel/pt: Fix a topa_entry base address calculation - [x86] watchdog/perf: properly initialize the turbo mode timestamp and rearm counter - RDMA/iwcm: Fix a use-after-free related to destroying CM IDs (CVE-2024-42285) - rbd: don't assume rbd_is_lock_owner() for exclusive mappings - [arm*] drm/panfrost: Mark simple_ondemand governor as softdep - rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait - rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings - Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables - Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591 - nilfs2: handle inconsistent state in nilfs_btnode_create_block() (CVE-2024-42295) - io_uring/io-wq: limit retrying worker initialisation - kernel: rerun task_work while freezing in get_signal() - jfs: Fix array-index-out-of-bounds in diFree (CVE-2024-43858) - f2fs: fix start segno of large section - dma: fix call order in dmam_free_coherent (CVE-2024-43856) - ipv4: Fix incorrect source address in Record Route option - net: bonding: correctly annotate RCU in bond_should_notify_peers() - [amd64] netfilter: nft_set_pipapo_avx2: disable softinterrupts - tipc: Return non-zero value from tipc_udp_addr2str() on error (CVE-2024-42284) - net: stmmac: Correct byte order of perfect_match - net: nexthop: Initialize all fields in dumped nexthops (CVE-2024-42283) - bpf: Fix a segment issue when downgrading gso_size (CVE-2024-42281) - [x86] mISDN: Fix a use after free in hfcmulti_tx() (CVE-2024-42280) - apparmor: Fix null pointer deref when receiving skb during sock creation (CVE-2023-52889) - lirc: rc_dev_get_from_fd(): fix file leak - ceph: fix incorrect kmalloc size of pagevec mempool - nvme: split command copy into a helper - nvme-pci: add missing condition check for existence of mapped data (CVE-2024-42276) - fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT - fuse: verify {g,u}id mount options correctly - sysctl: always initialize i_uid/i_gid (CVE-2024-42312) - ext4: factor out a common helper to query extent map - ext4: check the extent status again before inserting delalloc block - [arm64] soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver - [arm64] drivers: soc: xilinx: check return status of get_api_version() - devres: Fix memory leakage caused by driver API devm_free_percpu() (CVE-2024-43871) - genirq: Allow the PM device to originate from irq domain - [arm*] irqchip/imx-irqsteer: Constify irq_chip struct - [arm*] irqchip/imx-irqsteer: Add runtime PM support - [arm*] irqchip/imx-irqsteer: Handle runtime power management correctly (CVE-2024-42290) - remoteproc: imx_rproc: ignore mapping vdev regions (CVE-2024-43860) - drm/nouveau: prime: fix refcount underflow (CVE-2024-43867) - [x86] drm/vmwgfx: Fix overlay when using Screen Targets - sched: act_ct: take care of padding in struct zones_ht_key (CVE-2024-42272) - net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys - ipv6: fix ndisc_is_useropt() handling for PIO - [arm*] platform/chrome: cros_ec_proto: Lock device when updating MKBP version - HID: wacom: Modify pen IDs - protect the fetch of ->fd[fd] in do_dup2() from mispredictions (CVE-2024-42265) - ALSA: usb-audio: Correct surround channels in UAC1 channel map - [x86] ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G - net: usb: sr9700: fix uninitialized variable use in sr_mdio_read - r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY - genirq: Allow irq_chip registration functions to take a const irq_chip - [arm64] irqchip/mbigen: Fix mbigen node address layout - [i386] mm: Fix pti_clone_pgtable() alignment assumption (CVE-2024-44965) - [i386] mm: Fix pti_clone_entry_text() for i386 - sctp: move hlist_node and hashent out of sctp_ep_common - sctp: Fix null-ptr-deref in reuseport_add_sock(). (CVE-2024-44935) - net: usb: qmi_wwan: fix memory leak for not ip packets (CVE-2024-43861) - net: linkwatch: use system_unbound_wq - Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() - [armhf] net: dsa: bcm_sf2: Fix a possible memory leak in bcm_sf2_mdio_register() (CVE-2024-44971) - l2tp: fix lockdep splat - [arm*] net: fec: Stop PPS on driver remove - md: do not delete safemode_timer in mddev_suspend - md/raid5: avoid BUG_ON() while continue reshape after reassembling (CVE-2024-43914) - ACPI: battery: create alarm sysfs attribute atomically - [x86] ACPI: SBS: manage alarm sysfs attribute through psy core - udf: prevent integer overflow in udf_bitmap_free_blocks() - wifi: nl80211: don't give key data to userspace - btrfs: fix bitmap leak when loading free space cache on duplicate entry - drm/amdgpu: Fix the null pointer dereference to ras_manager (CVE-2024-43908) - drm/amdgpu/pm: Fix the null pointer dereference in apply_state_adjust_rules (CVE-2024-43907) - media: uvcvideo: Ignore empty TS packets - media: uvcvideo: Fix the bandwdith quirk on USB 3.x - jbd2: avoid memleak in jbd2_journal_write_metadata_buffer - SUNRPC: Fix a race to wake a sync task - sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime - ext4: fix wrong unit use in ext4_mb_find_by_goal - [arm64] cpufeature: Force HWCAP to be based on the sysreg visible to user-space - [arm64] Add Neoverse-V2 part - [arm64] cputype: Add Cortex-X4 definitions - [arm64] cputype: Add Neoverse-V3 definitions - [arm64] errata: Add workaround for Arm errata 3194386 and 3312417 - [arm64] cputype: Add Cortex-X3 definitions - [arm64] cputype: Add Cortex-A720 definitions - [arm64] cputype: Add Cortex-X925 definitions - [arm64] errata: Unify speculative SSBS errata logic - [arm64] errata: Expand speculative SSBS workaround - [arm64] cputype: Add Cortex-X1C definitions - [arm64] cputype: Add Cortex-A725 definitions - [arm64] errata: Expand speculative SSBS workaround (again) - i2c: smbus: Improve handling of stuck alerts - i2c: smbus: Send alert notifications to all devices if source not found - kprobes: Fix to check symbol prefixes correctly - ALSA: usb-audio: Re-add ScratchAmp quirk entries - drm/client: fix null pointer dereference in drm_client_modeset_probe (CVE-2024-43894) - ALSA: line6: Fix racy access to midibuf (CVE-2024-44954) - [x86] ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list - [x86] ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4 - usb: vhci-hcd: Do not drop references before new references are gained (CVE-2024-43883) - USB: serial: debug: do not echo input by default - usb: gadget: core: Check for unset descriptor (CVE-2024-44960) - usb: gadget: u_serial: Set start_delayed during suspend - scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic - tick/broadcast: Move per CPU pointer access into the atomic section (CVE-2024-44968) - ntp: Clamp maxerror and esterror to operating range - driver core: Fix uevent_show() vs driver detach race (CVE-2024-44952) - ntp: Safeguard against time_constant overflow - scsi: mpt3sas: Remove scsi_dma_map() error messages - scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES - [arm*] irqchip/meson-gpio: support more than 8 channels gpio irq - [arm*] irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to 'raw_spinlock_t' - serial: core: check uartclk for zero to avoid divide by zero (CVE-2024-43893) - genirq/irqdesc: Honor caller provided affinity in alloc_desc() - padata: Fix possible divide-by-0 panic in padata_mt_helper() (CVE-2024-43889) - tracing: Fix overflow in get_free_elt() (CVE-2024-43890) - [x86] mtrr: Check if fixed MTRRs exist before saving them (CVE-2024-44948) - [arm*] drm/bridge: analogix_dp: properly handle zero sized AUX transactions - [x86] drm/mgag200: Set DDC timeout in milliseconds - PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal (CVE-2024-42302) - netfilter: nf_tables: set element extended ACK reporting support - netfilter: nf_tables: use timestamp to check for set element timeout (CVE-2024-27397) - netfilter: nf_tables: allow clone callbacks to sleep - netfilter: nf_tables: prefer nft_chain_validate (CVE-2024-41042) - [x86] drm/i915/gem: Fix Virtual Memory mapping boundaries calculation (CVE-2024-42259) - [arm64] cpufeature: Fix the visibility of compat hwcaps - media: uvcvideo: Use entity get_cur in uvc_ctrl_set - exec: Fix ToCToU between perm check and set-uid/gid usage (CVE-2024-43882) - [x86] nvme/pci: Add APST quirk for Lenovo N60z laptop - wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (CVE-2024-42114) https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.225 - fuse: Initialize beyond-EOF page contents before setting uptodate (CVE-2024-44947) - ALSA: usb-audio: Support Yamaha P-125 quirk entry - [x86] xhci: Fix Panther point NULL pointer deref at full-speed re- enumeration (CVE-2024-45006) - [x86] thunderbolt: Mark XDomain as unplugged when router is removed (CVE-2024-46702) - [arm64] ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE - dm resume: don't return EINVAL when signalled - dm persistent data: fix memory allocation failure - vfs: Don't evict inode under the inode lru traversing context (CVE-2024-45003) - bitmap: introduce generic optimized bitmap_size() - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE (CVE-2024-45025) - selinux: fix potential counting error in avc_add_xperms_decision() - btrfs: tree-checker: add dev extent item checks - drm/amdgpu: Actually check flags for all context ops. - memcg_write_event_control(): fix a user-triggerable oops (CVE-2024-45021) - drm/amdgpu/jpeg2: properly set atomics vmid field - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() - net/mlx5e: Correctly report errors for ethtool rx flows - [x86] atm: idt77252: prevent use after free in dequeue_rx() (CVE-2024-44998) - netfilter: flowtable: initialise extack before use (CVE-2024-45018) - [arm64] net: hns3: fix wrong use of semaphore up - [arm64] net: hns3: fix a deadlock problem when config TC during resetting (CVE-2024-44995) - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7 - ssb: Fix division by zero issue in ssb_calc_clock_rate - wifi: mac80211: fix BA session teardown race - [i386] media: radio-isa: use dev_name to fill in bus_info - binfmt_misc: cleanup on filesystem umount - [arm64] media: qcom: venus: fix incorrect return value - scsi: spi: Fix sshdr use - gfs2: setattr_chown: Add missing initialization - wifi: iwlwifi: abort scan when rfkill on but device enabled - [amd64] IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock - nvmet-trace: avoid dereferencing pointer too early - ext4: do not trim the group with corrupted block bitmap - quota: Remove BUG_ON from dqget() - media: pci: cx23885: check cx23885_vdev_init() return - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() - [arm*] drm/lima: set gp bus_stop bit before hard reset - virtiofs: forbid newlines in tags - netlink: hold nlk->cb_mutex longer in __netlink_dump_start() - md: clean up invalid BUG_ON in md_ioctl - [x86] Increase brk randomness entropy for 64-bit systems - btrfs: change BUG_ON to assertion when checking for delayed_node root - btrfs: handle invalid root reference found in may_destroy_subvol() - btrfs: send: handle unexpected data in header buffer in begin_cmd() - btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() - f2fs: fix to do sanity check in update_sit_entry - usb: gadget: fsl: Increase size of name buffer for endpoints - Bluetooth: bnep: Fix out-of-bound access - [arm64] net: hns3: add checking for vf id of mailbox - nvmet-tcp: do not continue for invalid icreq - NFS: avoid infinite loop in pnfs_update_layout. - [arm*] usb: dwc3: core: Skip setting event buffers for host only controllers - usb: dwc3: st: fix probed platform device ref count on probe error path (CVE-2024-46674) - [arm*] irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc - ext4: set the type of max_zeroout to unsigned int to avoid overflow - nvmet-rdma: fix possible bad dereference when freeing rsps - hrtimer: Prevent queuing of hrtimer without a function callback - gtp: pull network headers in gtp_dev_xmit() (CVE-2024-44999) - block: use "unsigned long" for blk_validate_block_size(). - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c) - dm suspend: return -ERESTARTSYS instead of -EINTR - Bluetooth: hci_core: Fix LE quote calculation - Bluetooth: SMP: Fix assumption of Central always being Initiator - kcm: Serialise kcm_sendmsg() for the same socket. (CVE-2024-44946) - netfilter: nft_counter: Synchronize nft_counter_reset() against reader. - ip6_tunnel: Fix broken GRO - bonding: fix bond_ipsec_offload_ok return type - bonding: fix null pointer deref in bond_ipsec_offload_ok (CVE-2024-44990) - bonding: fix xfrm real_dev null pointer dereference (CVE-2024-44989) - bonding: fix xfrm state handling when clearing active slave - ice: fix ICE_LAST_OFFSET formula - [arm*] net: dsa: mv88e6xxx: read FID when handling ATU violations - [arm*] net: dsa: mv88e6xxx: replace ATU violation prints with trace points - [arm*] net: dsa: mv88e6xxx: Fix out-of-bound access (CVE-2024-44988) - netem: fix return value if duplicate enqueue fails (CVE-2024-45016) - ipv6: prevent UAF in ip6_send_skb() (CVE-2024-44987) - [arm64] drm/msm/dpu: don't play tricks with debug macros - [arm64] drm/msm/dp: reset the link phy params before link training - mmc: mmc_test: Fix NULL dereference on allocation failure (CVE-2024-45028) - Bluetooth: MGMT: Add error handling to pair_device() (CVE-2024-43884) - binfmt_misc: pass binfmt_misc flags to the interpreter - HID: wacom: Defer calculation of resolution until resolution_code is known - HID: microsoft: Add rumble support to latest xbox controllers - cxgb4: add forgotten u64 ivlan cast before shift - [arm64] KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3 (CVE-2024-46707) - [arm*] mmc: dw_mmc: allow biu and ciu clocks to defer - ALSA: timer: Relax start tick time check for slave timer elements - nfsd: Don't call freezable_schedule_timeout() after each successful page allocation in svc_alloc_arg(). - Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO (CVE-2023-31083) - Input: MT - limit max slots (CVE-2024-45008) - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc (CVE-2024-42228) - [arm64] KVM: arm64: Don't use cbz/adr with external symbols - [arm64] pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins - [arm*] pinctrl: single: fix potential NULL dereference in pcs_get_function() (CVE-2024-46685) - wifi: mwifiex: duplicate static structs used in driver instances - ipc: replace costly bailout check in sysvipc_find_ipc() (CVE-2021-3669) - [amd64] drm/amdkfd: don't allow mapping the MMIO HDP page with large pages (CVE-2024-41011) - media: uvcvideo: Fix integer overflow calculating timestamp - ata: libata-core: Fix null pointer dereference on error (CVE-2024-41098) - cgroup/cpuset: Prevent UAF in proc_cpuset_show() (CVE-2024-43853) - net:rds: Fix possible deadlock in rds_message_put - ovl: do not fail because of O_NOATIME - soundwire: stream: fix programming slave ports for non-continous port maps - [x86] dmaengine: dw: Add peripheral bus width verification - [x86] dmaengine: dw: Add memory bus width verification - ethtool: check device is present when getting link settings (CVE-2024-46679) - gtp: fix a potential NULL pointer dereference (CVE-2024-46677) - net: busy-poll: use ktime_get_ns() instead of local_clock() - nfc: pn533: Add poll mod list filling check (CVE-2024-46676) - [arm64] soc: qcom: cmd-db: Map shared memory as WC, not WB (CVE-2024-46689) - cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller - USB: serial: option: add MeiG Smart SRM825L - [armhf] usb: dwc3: omap: add missing depopulate in probe error path - [arm*] usb: dwc3: core: Prevent USB core invalid event buffer address access (CVE-2024-46675) - usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() - scsi: aacraid: Fix double-free on probe failure (CVE-2024-46673) https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.226 - [x86] drm: panel-orientation-quirks: Add quirk for OrangePi Neo - ALSA: hda/conexant: Mute speakers at suspend / shutdown - net: usb: qmi_wwan: add MeiG Smart SRM825L - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr - drm/amdgpu: fix overflowed array index read warning - drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr - drm/amd/pm: fix warning using uninitialized value of max_vid_step - drm/amd/pm: fix the Out-of-bounds read warning (CVE-2024-46731) - drm/amdgpu: fix uninitialized scalar variable warning - drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr (CVE-2024-43905) - drm/amdgpu: avoid reading vf2pf info size from FB - drm/amd/display: Check gpio_id before used as array index (CVE-2024-46818) - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 (CVE-2024-46817) - drm/amd/display: Add array index check for hdcp ddc access (CVE-2024-46804) - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] (CVE-2024-46815) - drm/amd/display: Check msg_id before processing transcation (CVE-2024-46814) - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within dal_gpio_service_create - drm/amdgpu/pm: Fix uninitialized variable agc_btc_response - drm/amdgpu: Fix out-of-bounds write warning (CVE-2024-46725) - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number (CVE-2024-46724) - drm/amdgpu: fix ucode out-of-bounds read warning (CVE-2024-46723) - drm/amdgpu: fix mc_data out-of-bounds read warning (CVE-2024-46722) - [amd64] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device - apparmor: fix possible NULL pointer dereference (CVE-2024-46721) - drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on legacy SOCs - drm/amdgpu: the warning dereferencing obj for nbio_v7_4 (CVE-2024-46819) - drm/amd/pm: check negtive return for table entries - wifi: iwlwifi: remove fw_running op - [arm64] PCI: al: Check IORESOURCE_BUS existence during probe - hwspinlock: Introduce hwspin_lock_bust() - usbip: Don't submit special requests twice - usb: typec: ucsi: Fix null pointer dereference in trace (CVE-2024-46719) - fsnotify: clear PARENT_WATCHED flags lazily - [arm64] drm/meson: plane: Add error handling - wifi: cfg80211: make hash table duplicates more survivable - block: remove the blk_flush_integrity call in blk_integrity_unregister - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null (CVE-2024-46714) - media: uvcvideo: Enforce alignment of frame and interval - block: initialize integrity buffer to zero before writing it to media (CVE-2024-43854) - drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr - bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode - net: set SOCK_RCU_FREE before inserting socket into hashtable - virtio_net: Fix napi_skb_cache_put warning (CVE-2024-43835) - rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow (CVE-2024-38577) - udf: Limit file size to 4TB - ext4: handle redirtying in ext4_bio_write_page() - bpf, cgroup: Assign cgroup in cgroup_sk_alloc when called from interrupt - sch/netem: fix use after free in netem_dequeue (CVE-2024-46800) - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object (CVE-2024-46798) - [x86] ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices - [x86] ALSA: hda/realtek: add patch for internal mic in Lenovo V145 - [x86] ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx - ata: libata: Fix memory leak for error path in ata_host_alloc() - [arm*] irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init() - Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/ LE" (regresion in 5.10.206) - Bluetooth: MGMT: Ignore keys being loaded with invalid type - [arm*] mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K - [armhf] mmc: sdhci-of-aspeed: fix module autoloading - fuse: update stats for pages in dropped aux writeback list - fuse: use unsigned type for getxattr/listxattr size truncation - [arm64] clk: qcom: clk-alpha-pll: Fix the pll post div mask - [arm64] clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API - can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open (CVE-2024-46791) - tracing: Avoid possible softlockup in tracing_iter_reset() - ila: call nf_unregister_net_hooks() sooner (CVE-2024-46782) - sched: sch_cake: fix bulk flow accounting logic for host fairness (CVE-2024-46828) - nilfs2: fix missing cleanup on rollforward recovery error (CVE-2024-46781) - nilfs2: fix state management in error path of log writing function - btrfs: fix use-after-free after failure to create a snapshot (CVE-2022-48733) - mptcp: pm: avoid possible UaF when selecting endp (CVE-2024-44974) - nfsd: move reply cache initialization into nfsd startup - nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net - NFSD: Refactor nfsd_reply_cache_free_locked() - NFSD: Rename nfsd_reply_cache_alloc() - NFSD: Replace nfsd_prune_bucket() - NFSD: Refactor the duplicate reply cache shrinker - NFSD: simplify error paths in nfsd_svc() - NFSD: Fix frame size warning in svc_export_parse() - sunrpc: don't change ->sv_stats if it doesn't exist - nfsd: stop setting ->pg_stats for unused stats - sunrpc: pass in the sv_stats struct through svc_create_pooled - sunrpc: remove ->pg_stats from svc_program - sunrpc: use the struct net as the svc proc private - nfsd: rename NFSD_NET_* to NFSD_STATS_* - nfsd: expose /proc/net/sunrpc/nfsd in net namespaces - nfsd: make all of the nfsd stats per-network namespace - nfsd: remove nfsd_stats, make th_cnt a global counter - nfsd: make svc_stat per-network namespace instead of global - ALSA: hda: Add input value sanity checks to HDMI channel map controls - [armhf] irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1 - af_unix: Remove put_pid()/put_cred() in copy_peercred(). - netfilter: nf_conncount: fix wrong variable type - udf: Avoid excessive partition lengths (CVE-2024-46777) - media: vivid: fix wrong sizeimage value for mplane - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3 - usb: uas: set host status byte on data completion error - media: vivid: don't set HDMI TX controls if there are no HDMI outputs - [x86] pcmcia: Use resource_size function on resource object - can: bcm: Remove proc entry when dev is unregistered. (CVE-2024-46771) - igb: Fix not clearing TimeSync interrupts for 82580 - svcrdma: Catch another Reply chunk overflow case - [x86] platform/x86: dell-smbios: Fix error path in dell_smbios_init() - tcp_bpf: fix return value of tcp_bpf_sendmsg() (CVE-2024-46783) - igc: Unlock on error in igc_io_resume() - drivers/net/usb: Remove all strcpy() uses - net: usb: don't write directly to netdev->dev_addr - usbnet: modern method to get random MAC - gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers - gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers - fou: Fix null-ptr-deref in GRO. (CVE-2024-46763) - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN - ASoC: topology: Properly initialize soc_enum values - dm init: Handle minors larger than 255 - [x86] iommu/vt-d: Handle volatile descriptor status read - cgroup: Protect css->cgroup write under css_set_lock - um: line: always fill *error_out in setup_one_line() (CVE-2024-46844) - devres: Initialize an uninitialized struct member - hwmon: (adc128d818) Fix underflows seen when writing limit attributes (CVE-2024-46759) - hwmon: (lm95234) Fix underflows seen when writing limit attributes (CVE-2024-46758) - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes (CVE-2024-46757) - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes (CVE-2024-46756) - libbpf: Add NULL checks to bpf_object__{prev_map,next_map} - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() (CVE-2024-46755) - btrfs: replace BUG_ON with ASSERT in walk_down_proc() - btrfs: clean up our handling of refs == 0 in snapshot delete (CVE-2024-46840) - PCI: Add missing bridge lock to pci_bus_lock() (CVE-2024-46750) - HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup (CVE-2024-46747) - Input: uinput - reject requests with unreasonable number of slots (CVE-2024-46745) - usbnet: ipheth: race between ipheth_close and error handling - Squashfs: sanity check symbolic link size (CVE-2024-46744) - of/irq: Prevent device address out-of-bounds read in interrupt map walk (CVE-2024-46743) - lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() - NFSv4: Add missing rescheduling points in nfs_client_return_marked_delegations - iio: buffer-dmaengine: fix releasing dma channel on error - iio: fix scale application in iio_convert_raw_to_processed_unlocked - iio: adc: ad7124: fix chip ID mismatch - binder: fix UAF caused by offsets overwrite (CVE-2024-46740) - nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc - [x86] uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind (CVE-2024-46739) - [x86] Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic - [x86] VMCI: Fix use-after-free when removing resource in vmci_resource_remove() (CVE-2024-46738) - clocksource/drivers/timer-of: Remove percpu irq related code - uprobes: Use kzalloc to allocate xol area - perf/aux: Fix AUX buffer serialization (CVE-2024-46713) - nilfs2: replace snprintf in show functions with sysfs_emit - nilfs2: protect references to superblock parameters exposed in sysfs (CVE-2024-46780) - ACPI: processor: Return an error if acpi_processor_get_info() fails in processor_add() - ACPI: processor: Fix memory leaks in error paths of processor_add() - [arm64] acpi: Move get_cpu_for_acpi_id() to a header - [arm64] acpi: Harden get_cpu_for_acpi_id() against missing CPU entry (CVE-2024-46822) - nvmet-tcp: fix kernel crash if commands allocation fails (CVE-2024-46737) - mmc: cqhci: Fix checking of CQHCI_HALT state - rtmutex: Drop rt_mutex::wait_lock before scheduling (CVE-2024-46829) - [i386] x86/mm: Fix PTI for i386 some more - net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket (CVE-2024-42246) - memcg: protect concurrent access to mem_cgroup_idr (CVE-2024-43892) . [ Ben Hutchings ] * Drop "netfilter: ipset: Add list flush to cancel_gc", included in 5.10.224 * Bump ABI to 33 * debian/README.source: Tag signatures are automatically verified * d/bin/genorig.py, d/README.source: Only support Git as upstream * d/bin/genorig.py, d/README.source: Add support for remote upstream repos * lintian: Refresh lintian-overrides * d/bin/gencontrol.py, d/lib/python: Use classes for build restriction formulae * d/bin/gencontrol.py, d/rules.real: Replace DEBUG variable with if_package * Introduce pkg.linux.quick build profile for quicker CI builds * d/salsa-ci.yml: Add CI config using some of the common pipeline * d/salsa-ci.yml, d/tests/python: Only run static checks in CI * d/salsa-ci.yml: Run kconfigeditor2 as kconfig static check * d/salsa-ci.yml: Use per-release cache of orig tarballs * d/bin/gencontrol_signed.py: Add support for pkg.linux.quick profile * lintian: Add lintian-overrides to linux-signed-* for non-issues * d/salsa-ci.yml: Don't disable signed code * d/certs: Add certificate and key to enable test signing in CI * d/salsa-ci.yml: Add jobs to build and test the signed packages * d/tests: Remove obsolete dependencies of python test * d/tests: Add kbuild test that builds a trivial OOT module * lintian: Update overrides for lintian 2.115 * d/tests: kbuild test case depends on python3 * d/tests: Run kbuild test with default flavour if quick flavour not defined * d/lib/python/debian_linux/debian.py: Add Architecture field to TestsControl * d/tests: Restrict kbuild tests to architectures with default or quick flavour * d/tests/kbuild: Fix default-flavour lookup for arches with no featuresets * d/tests/kbuild: Make flavour lookup verbose * d/lib/python/debian_linux, d/templates: Use variable for binary package name * lintian: Update overrides in linux-image-*-dbg for lintian 2.115 * [arm64] lintian: Override errors for vdso32.so in linux-image-*-dbg * d/salsa-ci.yml: Use !reference to include scripts from common pipeline * d/salsa-ci.yml: Remove obsolete lintian error suppressions * d/salsa-ci.yml: Run extract-source job in target release, not unstable * d/salsa-ci.yml: Set RELEASE to bullseye * d/config: Delete config settings for removed and automatic symbols * hyperv-daemons: Add lintian-override for depends-on-obsolete-package * [rt] Update to 5.10.225-rt117 * [rt] Refresh patches: - Refresh "locking/rtmutex: Remove output from deadlock detector." - Refresh "locking/rtmutex: Provide rt_mutex_slowlock_locked()" - Refresh "locking/rtmutex: add ww_mutex addon for mutex-rt" * cgroup: Fix locking regression in 5.10.225: - cgroup: Make operations on the cgroup root_list RCU safe - cgroup: Move rcu_head up near the top of cgroup_roo * [x86] Fix CPU matching regression in 5.10.221: - Input: goodix - use the new soc_intel_is_byt() helper - powercap: RAPL: fix invalid initialization for pl4_supported field - x86/mm: Switch to new Intel CPU model defines * bpf: Fix memory accounting regression in 5.10.214: - Revert "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches" - Revert "bpf: Eliminate rlimit-based memory accounting for devmap maps" - bpf: Fix DEVMAP_HASH overflow check on 32-bit arches . [ Mateusz Łukasik ] * d/salsa-ci.yml: Add linux-compiler-* packages to build-signed job artifacts . [ Martyn Welch ] * Increase timeout of CI build stage to 3 hours to enable build to complete Checksums-Sha1: 6e0a8f00d8343cf39782189f0c79b40b79cd2799 209423 linux_5.10.226-1.dsc c94fb006159b212c50567250452829aa7f589cb8 122010948 linux_5.10.226.orig.tar.xz 89d2e49ce2ceceab701c6d6ef9de563292c5e9ea 1708652 linux_5.10.226-1.debian.tar.xz 1618e4dbdcf91aea7a97b6d0773a420538967efd 6159 linux_5.10.226-1_source.buildinfo Checksums-Sha256: f4c5fb21ff6e3370a0bc082653fecf0754f6de207364ec1952e949b76a03bbdb 209423 linux_5.10.226-1.dsc 98f9a880ad3521cfc4c94842dc0b760ed630ce369131b3af7ceb5f4415251b9b 122010948 linux_5.10.226.orig.tar.xz 9ea6cfc54485ac70e605965ed360b737c937b714a49b9588e567604d4ffe276f 1708652 linux_5.10.226-1.debian.tar.xz 5a7b445182d34089192580381fb53082f3714e47e86a52f9fec1994495c1657a 6159 linux_5.10.226-1_source.buildinfo Files: f249f92c26e067457c4b9ae5ea0b4b26 209423 kernel optional linux_5.10.226-1.dsc 5e9587747d5cf07d591fe33d11e85bcd 122010948 kernel optional linux_5.10.226.orig.tar.xz 5065960c29d45956660412525900286d 1708652 kernel optional linux_5.10.226-1.debian.tar.xz 5e93a3782517d345709c7fadb52bc1d6 6159 kernel optional linux_5.10.226-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAmcBiLoACgkQ57/I7JWG EQklOxAAv9xIKivUFFSJQ5DnjVUrkUAiNKfcYvHOluWkvXG9eccjRhMfPu7eW3hx ZW7IqfM9Dc/hbGk+W2FnHd8uSqyXxnM2nEGMeFyNNYllQEK1rpgh71XAYkMg+/Qb K72CycxcVp9YOmcfS0QnLIOHkrrMT5TN4+Kq8/CtlQjc2GuiXmaq3BcBd9hZln2i wLn+kJUEhXZOd0hF4TqsvdwYJw6jqhOZxqw9tva/p7XYuz1TNmWbERMuS+iQZuQa TwbSb0sa0h+w+uVcMuESGGx5W+S4S2SrfTbHBTpLDTbn2eAJJSr/elI6qZ9/yerg EplpCXtTQsNHXEW1bsSMnZGb/ta8sitgkHsHnFsON0RuUYN5R58P1ZuHrjWoPcWK XqpvuPC7I39bQJ7x5+NzgmiJUyiT8iUd7Ssv2kUHpGGwvHDmRS4u6kxRyLon8hZf jWTSQod/URUxAE923jys0mLs4lc93UiIZgjzt33+z3DzJS2+RAGAP0IjRrtTJzH8 WtTP2BkKeTGZt85+Tz6E4fdC9j/G5btRr6hGglmlod8Lv7t7VOvFKklYPBIrAz2y gdW8wDgZodYmxkof6V+oUk/eZz/HzAAvBS723P3BW3hcoFZrOxoh3AUHSuXSDbKW 3GcIq7ydDXbZI1W2OXbLmmHVM8Dd2O+4QcGA7ngA2rhfAeGHX3w= =7+9K -----END PGP SIGNATURE-----