-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 03 Oct 2024 23:58:46 +0200
Source: linux-signed-amd64
Architecture: source
Version: 5.10.226+1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <benh@debian.org>
Changes:
linux-signed-amd64 (5.10.226+1) bullseye-security; urgency=high
.
* Sign kernel from linux 5.10.226-1
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.224
- [amd64] EDAC/skx_common: Add new ADXL components for 2-level memory
- [amd64] EDAC, i10nm: make skx_common.o a separate module
- [arm64] platform/chrome: cros_ec_debugfs: fix wrong EC message version
- hfsplus: fix to avoid false alarm of circular locking
- [i386] of: Return consistent error type from x86_of_pci_irq_enable()
- [x86] pci/xen: Fix PCIBIOS_* return code handling
- [x86] platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
- hwmon: (adt7475) Fix default duty on fan is disabled
- [arm64] dts: qcom: msm8996: specify UFS core_clk frequencies
- [arm*] soc: qcom: pdr: protect locator_addr with the main mutex
(CVE-2024-43849)
- [arm64] dts: rockchip: Increase VOP clk rate on RK3328
- [arm64] dts: amlogic: gx: correct hdmi clocks
- [arm64] firmware: turris-mox-rwtm: Fix checking return value of
wait_for_completion_timeout()
- [arm64] firmware: turris-mox-rwtm: Initialize completion before mailbox
- wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
- net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP
- net/smc: Allow SMC-D 1MB DMB allocations
- net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when
CONFIG_ARCH_NO_SG_CHAIN is defined
- lib: objagg: Fix general protection fault (CVE-2024-43846)
- mlxsw: spectrum_acl_erp: Fix object nesting warning (CVE-2024-43880)
- ath11k: dp: stop rx pktlog before suspend
- wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers
- wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
- wifi: cfg80211: handle 2x996 RU allocation in
cfg80211_calculate_bitrate_he() (CVE-2024-43879)
- [arm*] net: fec: Refactor: #define magic constants
- [arm*] net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
- ipvs: Avoid unnecessary calls to skb_is_gso_sctp
- netfilter: nf_tables: rise cap on SELinux secmark context
- [x86] perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation
- perf: Fix perf_aux_size() for greater-than 32-bit size
- perf: Prevent passing zero nr_pages to rb_alloc_aux()
- qed: Improve the stack space of filter_config()
- wifi: virt_wifi: avoid reporting connection success with wrong SSID
(CVE-2024-43841)
- gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey
- bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
(CVE-2024-43839)
- xdp: fix invalid wait context of page_pool_destroy() (CVE-2024-43834)
- media: imon: Fix race getting ictx->lock
- saa7134: Unchecked i2c_transfer function result fixed
- media: uvcvideo: Allow entity-defined get_info and get_cur
- media: uvcvideo: Override default flags
- leds: trigger: Unregister sysfs attributes before calling deactivate()
(CVE-2024-43830)
- perf report: Fix condition in sort__sym_cmp()
- [armhf] drm/etnaviv: fix DMA direction handling for cached RW buffers
- drm/qxl: Add check for drm_cvt_mode (CVE-2024-43829)
- Revert "leds: led-core: Fix refcount leak in of_led_get()"
(regression in 5.10.173)
- ext4: fix infinite loop when replaying fast_commit (CVE-2024-43828)
- [arm64] media: venus: flush all buffers in output plane streamoff
- [armhf] mfd: omap-usb-tll: Use struct_size to allocate tll
- xprtrdma: Rename frwr_release_mr()
- xprtrdma: Fix rpcrdma_reqs_reset()
- SUNRPC: avoid soft lockup when transmitting UDP to reachable server.
- ext4: avoid writing unitialized memory to disk in EA inodes
- SUNRPC: Fixup gss_status tracepoint error output
- PCI: Fix resource double counting on remove & rescan
- RDMA/mlx4: Fix truncated output warning in mad.c
- RDMA/mlx4: Fix truncated output warning in alias_GUID.c
- RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
- RDMA/device: Return error earlier if port in not valid
- Input: elan_i2c - do not leave interrupt disabled on suspend failure
- [arm64] RDMA/hns: Fix missing pagesize and alignment check in FRMR
- netfilter: ctnetlink: use helper function to calculate expect ID
(CVE-2024-44944)
- [arm*] net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU
ports
- [armhf] net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports
- [arm*] pinctrl: rockchip: update rk3308 iomux routes
- pinctrl: core: fix possible memory leak when pinctrl_enable() fails
- pinctrl: single: fix possible memory leak when pinctrl_enable() fails
- [armhf] pinctrl: ti: ti-iodelay: Drop if block with always false
condition
- [armhf] pinctrl: ti: ti-iodelay: fix possible memory leak when
pinctrl_enable() fails
- fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP
- nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
- rtc: interface: Add RTC offset to alarm after fix-up
- tick/broadcast: Make takeover of broadcast hrtimer reliable
- net: netconsole: Disable target before netpoll cleanup
- af_packet: Handle outgoing VLAN packets without hardware offloading
- ipv6: take care of scope when choosing the src addr
- sched/fair: set_load_weight() must also call reweight_task() for
SCHED_IDLE tasks
- char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
- [arm64] media: venus: fix use after free in vdec_close (CVE-2024-42313)
- hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
(CVE-2024-42311)
- ext2: Verify bitmap and itable block numbers before using them
- [x86] drm/gma500: fix null pointer dereference in
cdv_intel_lvds_get_modes (CVE-2024-42310)
- [x86] drm/gma500: fix null pointer dereference in
psb_intel_lvds_get_modes (CVE-2024-42309)
- scsi: qla2xxx: Fix optrom version displayed in FDMI
- drm/amd/display: Check for NULL pointer (CVE-2024-42308)
- sched/fair: Use all little CPUs for CPU-bound workloads
- apparmor: use kvfree_sensitive to free data->data
- task_work: s/task_work_cancel()/task_work_cancel_func()/
- task_work: Introduce task_work_cancel() again
- udf: Avoid using corrupted block bitmap buffer (CVE-2024-42306)
- ext4: check dot and dotdot of dx_root before making dir indexed
(CVE-2024-42305)
- ext4: make sure the first directory block is not a hole (CVE-2024-42304)
- wifi: mwifiex: Fix interface type change
- [x86] leds: ss4200: Convert PCIBIOS_* return codes to errnos
- jbd2: make jbd2_journal_get_max_txn_bufs() internal
- [x86] KVM: VMX: Split out the non-virtualization part of
vmx_interrupt_blocked()
- [x86] hwrng: amd - Convert PCIBIOS_* return codes to errnos
- [amd64] PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
- [arm64] PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
- binder: fix hang of unregistered readers
- dev/parport: fix the array out-of-bounds risk (CVE-2024-42301)
- scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
- f2fs: fix to don't dirty inode for readonly filesystem (CVE-2024-42297)
- ubi: eba: properly rollback inside self_check_eba
- decompress_bunzip2: fix rare decompression failure
- kobject_uevent: Fix OOB access within zap_modalias_env() (CVE-2024-42292)
- devres: Fix devm_krealloc() wasting memory
- rtc: cmos: Fix return value of nvmem callbacks
- scsi: qla2xxx: During vport delete send async logout explicitly
(CVE-2024-42289)
- scsi: qla2xxx: Fix for possible memory corruption (CVE-2024-42288)
- scsi: qla2xxx: Fix flash read failure
- scsi: qla2xxx: Complete command early within lock (CVE-2024-42287)
- scsi: qla2xxx: validate nvme_local_port correctly (CVE-2024-42286)
- [x86] perf/x86/intel/pt: Fix topa_entry base length
- [x86] perf/x86/intel/pt: Fix a topa_entry base address calculation
- [x86] watchdog/perf: properly initialize the turbo mode timestamp and
rearm counter
- RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
(CVE-2024-42285)
- rbd: don't assume rbd_is_lock_owner() for exclusive mappings
- [arm*] drm/panfrost: Mark simple_ondemand governor as softdep
- rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait
- rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings
- Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
- Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
- nilfs2: handle inconsistent state in nilfs_btnode_create_block()
(CVE-2024-42295)
- io_uring/io-wq: limit retrying worker initialisation
- kernel: rerun task_work while freezing in get_signal()
- jfs: Fix array-index-out-of-bounds in diFree (CVE-2024-43858)
- f2fs: fix start segno of large section
- dma: fix call order in dmam_free_coherent (CVE-2024-43856)
- ipv4: Fix incorrect source address in Record Route option
- net: bonding: correctly annotate RCU in bond_should_notify_peers()
- [amd64] netfilter: nft_set_pipapo_avx2: disable softinterrupts
- tipc: Return non-zero value from tipc_udp_addr2str() on error
(CVE-2024-42284)
- net: stmmac: Correct byte order of perfect_match
- net: nexthop: Initialize all fields in dumped nexthops (CVE-2024-42283)
- bpf: Fix a segment issue when downgrading gso_size (CVE-2024-42281)
- [x86] mISDN: Fix a use after free in hfcmulti_tx() (CVE-2024-42280)
- apparmor: Fix null pointer deref when receiving skb during sock creation
(CVE-2023-52889)
- lirc: rc_dev_get_from_fd(): fix file leak
- ceph: fix incorrect kmalloc size of pagevec mempool
- nvme: split command copy into a helper
- nvme-pci: add missing condition check for existence of mapped data
(CVE-2024-42276)
- fs: don't allow non-init s_user_ns for filesystems without
FS_USERNS_MOUNT
- fuse: verify {g,u}id mount options correctly
- sysctl: always initialize i_uid/i_gid (CVE-2024-42312)
- ext4: factor out a common helper to query extent map
- ext4: check the extent status again before inserting delalloc block
- [arm64] soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver
- [arm64] drivers: soc: xilinx: check return status of get_api_version()
- devres: Fix memory leakage caused by driver API devm_free_percpu()
(CVE-2024-43871)
- genirq: Allow the PM device to originate from irq domain
- [arm*] irqchip/imx-irqsteer: Constify irq_chip struct
- [arm*] irqchip/imx-irqsteer: Add runtime PM support
- [arm*] irqchip/imx-irqsteer: Handle runtime power management correctly
(CVE-2024-42290)
- remoteproc: imx_rproc: ignore mapping vdev regions (CVE-2024-43860)
- drm/nouveau: prime: fix refcount underflow (CVE-2024-43867)
- [x86] drm/vmwgfx: Fix overlay when using Screen Targets
- sched: act_ct: take care of padding in struct zones_ht_key
(CVE-2024-42272)
- net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
- ipv6: fix ndisc_is_useropt() handling for PIO
- [arm*] platform/chrome: cros_ec_proto: Lock device when updating MKBP
version
- HID: wacom: Modify pen IDs
- protect the fetch of ->fd[fd] in do_dup2() from mispredictions
(CVE-2024-42265)
- ALSA: usb-audio: Correct surround channels in UAC1 channel map
- [x86] ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G
- net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
- r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY
- genirq: Allow irq_chip registration functions to take a const irq_chip
- [arm64] irqchip/mbigen: Fix mbigen node address layout
- [i386] mm: Fix pti_clone_pgtable() alignment assumption (CVE-2024-44965)
- [i386] mm: Fix pti_clone_entry_text() for i386
- sctp: move hlist_node and hashent out of sctp_ep_common
- sctp: Fix null-ptr-deref in reuseport_add_sock(). (CVE-2024-44935)
- net: usb: qmi_wwan: fix memory leak for not ip packets (CVE-2024-43861)
- net: linkwatch: use system_unbound_wq
- Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
- [armhf] net: dsa: bcm_sf2: Fix a possible memory leak in
bcm_sf2_mdio_register() (CVE-2024-44971)
- l2tp: fix lockdep splat
- [arm*] net: fec: Stop PPS on driver remove
- md: do not delete safemode_timer in mddev_suspend
- md/raid5: avoid BUG_ON() while continue reshape after reassembling
(CVE-2024-43914)
- ACPI: battery: create alarm sysfs attribute atomically
- [x86] ACPI: SBS: manage alarm sysfs attribute through psy core
- udf: prevent integer overflow in udf_bitmap_free_blocks()
- wifi: nl80211: don't give key data to userspace
- btrfs: fix bitmap leak when loading free space cache on duplicate entry
- drm/amdgpu: Fix the null pointer dereference to ras_manager
(CVE-2024-43908)
- drm/amdgpu/pm: Fix the null pointer dereference in
apply_state_adjust_rules (CVE-2024-43907)
- media: uvcvideo: Ignore empty TS packets
- media: uvcvideo: Fix the bandwdith quirk on USB 3.x
- jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
- SUNRPC: Fix a race to wake a sync task
- sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime
- ext4: fix wrong unit use in ext4_mb_find_by_goal
- [arm64] cpufeature: Force HWCAP to be based on the sysreg visible to
user-space
- [arm64] Add Neoverse-V2 part
- [arm64] cputype: Add Cortex-X4 definitions
- [arm64] cputype: Add Neoverse-V3 definitions
- [arm64] errata: Add workaround for Arm errata 3194386 and 3312417
- [arm64] cputype: Add Cortex-X3 definitions
- [arm64] cputype: Add Cortex-A720 definitions
- [arm64] cputype: Add Cortex-X925 definitions
- [arm64] errata: Unify speculative SSBS errata logic
- [arm64] errata: Expand speculative SSBS workaround
- [arm64] cputype: Add Cortex-X1C definitions
- [arm64] cputype: Add Cortex-A725 definitions
- [arm64] errata: Expand speculative SSBS workaround (again)
- i2c: smbus: Improve handling of stuck alerts
- i2c: smbus: Send alert notifications to all devices if source not found
- kprobes: Fix to check symbol prefixes correctly
- ALSA: usb-audio: Re-add ScratchAmp quirk entries
- drm/client: fix null pointer dereference in drm_client_modeset_probe
(CVE-2024-43894)
- ALSA: line6: Fix racy access to midibuf (CVE-2024-44954)
- [x86] ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
- [x86] ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
- usb: vhci-hcd: Do not drop references before new references are gained
(CVE-2024-43883)
- USB: serial: debug: do not echo input by default
- usb: gadget: core: Check for unset descriptor (CVE-2024-44960)
- usb: gadget: u_serial: Set start_delayed during suspend
- scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
- tick/broadcast: Move per CPU pointer access into the atomic section
(CVE-2024-44968)
- ntp: Clamp maxerror and esterror to operating range
- driver core: Fix uevent_show() vs driver detach race (CVE-2024-44952)
- ntp: Safeguard against time_constant overflow
- scsi: mpt3sas: Remove scsi_dma_map() error messages
- scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
- [arm*] irqchip/meson-gpio: support more than 8 channels gpio irq
- [arm*] irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to
'raw_spinlock_t'
- serial: core: check uartclk for zero to avoid divide by zero
(CVE-2024-43893)
- genirq/irqdesc: Honor caller provided affinity in alloc_desc()
- padata: Fix possible divide-by-0 panic in padata_mt_helper()
(CVE-2024-43889)
- tracing: Fix overflow in get_free_elt() (CVE-2024-43890)
- [x86] mtrr: Check if fixed MTRRs exist before saving them
(CVE-2024-44948)
- [arm*] drm/bridge: analogix_dp: properly handle zero sized AUX
transactions
- [x86] drm/mgag200: Set DDC timeout in milliseconds
- PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
(CVE-2024-42302)
- netfilter: nf_tables: set element extended ACK reporting support
- netfilter: nf_tables: use timestamp to check for set element timeout
(CVE-2024-27397)
- netfilter: nf_tables: allow clone callbacks to sleep
- netfilter: nf_tables: prefer nft_chain_validate (CVE-2024-41042)
- [x86] drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
(CVE-2024-42259)
- [arm64] cpufeature: Fix the visibility of compat hwcaps
- media: uvcvideo: Use entity get_cur in uvc_ctrl_set
- exec: Fix ToCToU between perm check and set-uid/gid usage
(CVE-2024-43882)
- [x86] nvme/pci: Add APST quirk for Lenovo N60z laptop
- wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (CVE-2024-42114)
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.225
- fuse: Initialize beyond-EOF page contents before setting uptodate
(CVE-2024-44947)
- ALSA: usb-audio: Support Yamaha P-125 quirk entry
- [x86] xhci: Fix Panther point NULL pointer deref at full-speed re-
enumeration (CVE-2024-45006)
- [x86] thunderbolt: Mark XDomain as unplugged when router is removed
(CVE-2024-46702)
- [arm64] ACPI: NUMA: initialize all values of acpi_early_node_map to
NUMA_NO_NODE
- dm resume: don't return EINVAL when signalled
- dm persistent data: fix memory allocation failure
- vfs: Don't evict inode under the inode lru traversing context
(CVE-2024-45003)
- bitmap: introduce generic optimized bitmap_size()
- fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
(CVE-2024-45025)
- selinux: fix potential counting error in avc_add_xperms_decision()
- btrfs: tree-checker: add dev extent item checks
- drm/amdgpu: Actually check flags for all context ops.
- memcg_write_event_control(): fix a user-triggerable oops (CVE-2024-45021)
- drm/amdgpu/jpeg2: properly set atomics vmid field
- btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
- net/mlx5e: Correctly report errors for ethtool rx flows
- [x86] atm: idt77252: prevent use after free in dequeue_rx()
(CVE-2024-44998)
- netfilter: flowtable: initialise extack before use (CVE-2024-45018)
- [arm64] net: hns3: fix wrong use of semaphore up
- [arm64] net: hns3: fix a deadlock problem when config TC during resetting
(CVE-2024-44995)
- ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
- ssb: Fix division by zero issue in ssb_calc_clock_rate
- wifi: mac80211: fix BA session teardown race
- [i386] media: radio-isa: use dev_name to fill in bus_info
- binfmt_misc: cleanup on filesystem umount
- [arm64] media: qcom: venus: fix incorrect return value
- scsi: spi: Fix sshdr use
- gfs2: setattr_chown: Add missing initialization
- wifi: iwlwifi: abort scan when rfkill on but device enabled
- [amd64] IB/hfi1: Fix potential deadlock on &irq_src_lock and
&dd->uctxt_lock
- nvmet-trace: avoid dereferencing pointer too early
- ext4: do not trim the group with corrupted block bitmap
- quota: Remove BUG_ON from dqget()
- media: pci: cx23885: check cx23885_vdev_init() return
- scsi: lpfc: Initialize status local variable in
lpfc_sli4_repost_sgl_list()
- [arm*] drm/lima: set gp bus_stop bit before hard reset
- virtiofs: forbid newlines in tags
- netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
- md: clean up invalid BUG_ON in md_ioctl
- [x86] Increase brk randomness entropy for 64-bit systems
- btrfs: change BUG_ON to assertion when checking for delayed_node root
- btrfs: handle invalid root reference found in may_destroy_subvol()
- btrfs: send: handle unexpected data in header buffer in begin_cmd()
- btrfs: delete pointless BUG_ON check on quota root in
btrfs_qgroup_account_extent()
- f2fs: fix to do sanity check in update_sit_entry
- usb: gadget: fsl: Increase size of name buffer for endpoints
- Bluetooth: bnep: Fix out-of-bound access
- [arm64] net: hns3: add checking for vf id of mailbox
- nvmet-tcp: do not continue for invalid icreq
- NFS: avoid infinite loop in pnfs_update_layout.
- [arm*] usb: dwc3: core: Skip setting event buffers for host only
controllers
- usb: dwc3: st: fix probed platform device ref count on probe error path
(CVE-2024-46674)
- [arm*] irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
- ext4: set the type of max_zeroout to unsigned int to avoid overflow
- nvmet-rdma: fix possible bad dereference when freeing rsps
- hrtimer: Prevent queuing of hrtimer without a function callback
- gtp: pull network headers in gtp_dev_xmit() (CVE-2024-44999)
- block: use "unsigned long" for blk_validate_block_size().
- media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)
- dm suspend: return -ERESTARTSYS instead of -EINTR
- Bluetooth: hci_core: Fix LE quote calculation
- Bluetooth: SMP: Fix assumption of Central always being Initiator
- kcm: Serialise kcm_sendmsg() for the same socket. (CVE-2024-44946)
- netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
- ip6_tunnel: Fix broken GRO
- bonding: fix bond_ipsec_offload_ok return type
- bonding: fix null pointer deref in bond_ipsec_offload_ok (CVE-2024-44990)
- bonding: fix xfrm real_dev null pointer dereference (CVE-2024-44989)
- bonding: fix xfrm state handling when clearing active slave
- ice: fix ICE_LAST_OFFSET formula
- [arm*] net: dsa: mv88e6xxx: read FID when handling ATU violations
- [arm*] net: dsa: mv88e6xxx: replace ATU violation prints with trace
points
- [arm*] net: dsa: mv88e6xxx: Fix out-of-bound access (CVE-2024-44988)
- netem: fix return value if duplicate enqueue fails (CVE-2024-45016)
- ipv6: prevent UAF in ip6_send_skb() (CVE-2024-44987)
- [arm64] drm/msm/dpu: don't play tricks with debug macros
- [arm64] drm/msm/dp: reset the link phy params before link training
- mmc: mmc_test: Fix NULL dereference on allocation failure
(CVE-2024-45028)
- Bluetooth: MGMT: Add error handling to pair_device() (CVE-2024-43884)
- binfmt_misc: pass binfmt_misc flags to the interpreter
- HID: wacom: Defer calculation of resolution until resolution_code is
known
- HID: microsoft: Add rumble support to latest xbox controllers
- cxgb4: add forgotten u64 ivlan cast before shift
- [arm64] KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
(CVE-2024-46707)
- [arm*] mmc: dw_mmc: allow biu and ciu clocks to defer
- ALSA: timer: Relax start tick time check for slave timer elements
- nfsd: Don't call freezable_schedule_timeout() after each successful page
allocation in svc_alloc_arg().
- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO
(CVE-2023-31083)
- Input: MT - limit max slots (CVE-2024-45008)
- drm/amdgpu: Using uninitialized value *size when calling
amdgpu_vce_cs_reloc (CVE-2024-42228)
- [arm64] KVM: arm64: Don't use cbz/adr with external symbols
- [arm64] pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B
pins
- [arm*] pinctrl: single: fix potential NULL dereference in
pcs_get_function() (CVE-2024-46685)
- wifi: mwifiex: duplicate static structs used in driver instances
- ipc: replace costly bailout check in sysvipc_find_ipc() (CVE-2021-3669)
- [amd64] drm/amdkfd: don't allow mapping the MMIO HDP page with large
pages (CVE-2024-41011)
- media: uvcvideo: Fix integer overflow calculating timestamp
- ata: libata-core: Fix null pointer dereference on error (CVE-2024-41098)
- cgroup/cpuset: Prevent UAF in proc_cpuset_show() (CVE-2024-43853)
- net:rds: Fix possible deadlock in rds_message_put
- ovl: do not fail because of O_NOATIME
- soundwire: stream: fix programming slave ports for non-continous port
maps
- [x86] dmaengine: dw: Add peripheral bus width verification
- [x86] dmaengine: dw: Add memory bus width verification
- ethtool: check device is present when getting link settings
(CVE-2024-46679)
- gtp: fix a potential NULL pointer dereference (CVE-2024-46677)
- net: busy-poll: use ktime_get_ns() instead of local_clock()
- nfc: pn533: Add poll mod list filling check (CVE-2024-46676)
- [arm64] soc: qcom: cmd-db: Map shared memory as WC, not WB
(CVE-2024-46689)
- cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller
- USB: serial: option: add MeiG Smart SRM825L
- [armhf] usb: dwc3: omap: add missing depopulate in probe error path
- [arm*] usb: dwc3: core: Prevent USB core invalid event buffer address
access (CVE-2024-46675)
- usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in
remove_power_attributes()
- scsi: aacraid: Fix double-free on probe failure (CVE-2024-46673)
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.226
- [x86] drm: panel-orientation-quirks: Add quirk for OrangePi Neo
- ALSA: hda/conexant: Mute speakers at suspend / shutdown
- net: usb: qmi_wwan: add MeiG Smart SRM825L
- drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
- drm/amdgpu: fix overflowed array index read warning
- drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr
- drm/amd/pm: fix warning using uninitialized value of max_vid_step
- drm/amd/pm: fix the Out-of-bounds read warning (CVE-2024-46731)
- drm/amdgpu: fix uninitialized scalar variable warning
- drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr
(CVE-2024-43905)
- drm/amdgpu: avoid reading vf2pf info size from FB
- drm/amd/display: Check gpio_id before used as array index
(CVE-2024-46818)
- drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than
6 (CVE-2024-46817)
- drm/amd/display: Add array index check for hdcp ddc access
(CVE-2024-46804)
- drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
(CVE-2024-46815)
- drm/amd/display: Check msg_id before processing transcation
(CVE-2024-46814)
- drm/amd/display: Fix Coverity INTEGER_OVERFLOW within
dal_gpio_service_create
- drm/amdgpu/pm: Fix uninitialized variable agc_btc_response
- drm/amdgpu: Fix out-of-bounds write warning (CVE-2024-46725)
- drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
(CVE-2024-46724)
- drm/amdgpu: fix ucode out-of-bounds read warning (CVE-2024-46723)
- drm/amdgpu: fix mc_data out-of-bounds read warning (CVE-2024-46722)
- [amd64] drm/amdkfd: Reconcile the definition and use of oem_id in struct
kfd_topology_device
- apparmor: fix possible NULL pointer dereference (CVE-2024-46721)
- drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on
legacy SOCs
- drm/amdgpu: the warning dereferencing obj for nbio_v7_4 (CVE-2024-46819)
- drm/amd/pm: check negtive return for table entries
- wifi: iwlwifi: remove fw_running op
- [arm64] PCI: al: Check IORESOURCE_BUS existence during probe
- hwspinlock: Introduce hwspin_lock_bust()
- usbip: Don't submit special requests twice
- usb: typec: ucsi: Fix null pointer dereference in trace (CVE-2024-46719)
- fsnotify: clear PARENT_WATCHED flags lazily
- [arm64] drm/meson: plane: Add error handling
- wifi: cfg80211: make hash table duplicates more survivable
- block: remove the blk_flush_integrity call in blk_integrity_unregister
- drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
(CVE-2024-46714)
- media: uvcvideo: Enforce alignment of frame and interval
- block: initialize integrity buffer to zero before writing it to media
(CVE-2024-43854)
- drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr
- bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode
- net: set SOCK_RCU_FREE before inserting socket into hashtable
- virtio_net: Fix napi_skb_cache_put warning (CVE-2024-43835)
- rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow
(CVE-2024-38577)
- udf: Limit file size to 4TB
- ext4: handle redirtying in ext4_bio_write_page()
- bpf, cgroup: Assign cgroup in cgroup_sk_alloc when called from interrupt
- sch/netem: fix use after free in netem_dequeue (CVE-2024-46800)
- ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object (CVE-2024-46798)
- [x86] ALSA: hda/conexant: Add pincfg quirk to enable top speakers on
Sirius devices
- [x86] ALSA: hda/realtek: add patch for internal mic in Lenovo V145
- [x86] ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx
- ata: libata: Fix memory leak for error path in ata_host_alloc()
- [arm*] irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
- Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/
LE" (regresion in 5.10.206)
- Bluetooth: MGMT: Ignore keys being loaded with invalid type
- [arm*] mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
- [armhf] mmc: sdhci-of-aspeed: fix module autoloading
- fuse: update stats for pages in dropped aux writeback list
- fuse: use unsigned type for getxattr/listxattr size truncation
- [arm64] clk: qcom: clk-alpha-pll: Fix the pll post div mask
- [arm64] clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API
- can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open
(CVE-2024-46791)
- tracing: Avoid possible softlockup in tracing_iter_reset()
- ila: call nf_unregister_net_hooks() sooner (CVE-2024-46782)
- sched: sch_cake: fix bulk flow accounting logic for host fairness
(CVE-2024-46828)
- nilfs2: fix missing cleanup on rollforward recovery error
(CVE-2024-46781)
- nilfs2: fix state management in error path of log writing function
- btrfs: fix use-after-free after failure to create a snapshot
(CVE-2022-48733)
- mptcp: pm: avoid possible UaF when selecting endp (CVE-2024-44974)
- nfsd: move reply cache initialization into nfsd startup
- nfsd: move init of percpu reply_cache_stats counters back to
nfsd_init_net
- NFSD: Refactor nfsd_reply_cache_free_locked()
- NFSD: Rename nfsd_reply_cache_alloc()
- NFSD: Replace nfsd_prune_bucket()
- NFSD: Refactor the duplicate reply cache shrinker
- NFSD: simplify error paths in nfsd_svc()
- NFSD: Fix frame size warning in svc_export_parse()
- sunrpc: don't change ->sv_stats if it doesn't exist
- nfsd: stop setting ->pg_stats for unused stats
- sunrpc: pass in the sv_stats struct through svc_create_pooled
- sunrpc: remove ->pg_stats from svc_program
- sunrpc: use the struct net as the svc proc private
- nfsd: rename NFSD_NET_* to NFSD_STATS_*
- nfsd: expose /proc/net/sunrpc/nfsd in net namespaces
- nfsd: make all of the nfsd stats per-network namespace
- nfsd: remove nfsd_stats, make th_cnt a global counter
- nfsd: make svc_stat per-network namespace instead of global
- ALSA: hda: Add input value sanity checks to HDMI channel map controls
- [armhf] irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
- af_unix: Remove put_pid()/put_cred() in copy_peercred().
- netfilter: nf_conncount: fix wrong variable type
- udf: Avoid excessive partition lengths (CVE-2024-46777)
- media: vivid: fix wrong sizeimage value for mplane
- wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
- usb: uas: set host status byte on data completion error
- media: vivid: don't set HDMI TX controls if there are no HDMI outputs
- [x86] pcmcia: Use resource_size function on resource object
- can: bcm: Remove proc entry when dev is unregistered. (CVE-2024-46771)
- igb: Fix not clearing TimeSync interrupts for 82580
- svcrdma: Catch another Reply chunk overflow case
- [x86] platform/x86: dell-smbios: Fix error path in dell_smbios_init()
- tcp_bpf: fix return value of tcp_bpf_sendmsg() (CVE-2024-46783)
- igc: Unlock on error in igc_io_resume()
- drivers/net/usb: Remove all strcpy() uses
- net: usb: don't write directly to netdev->dev_addr
- usbnet: modern method to get random MAC
- gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers
- gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers
- fou: Fix null-ptr-deref in GRO. (CVE-2024-46763)
- net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
- ASoC: topology: Properly initialize soc_enum values
- dm init: Handle minors larger than 255
- [x86] iommu/vt-d: Handle volatile descriptor status read
- cgroup: Protect css->cgroup write under css_set_lock
- um: line: always fill *error_out in setup_one_line() (CVE-2024-46844)
- devres: Initialize an uninitialized struct member
- hwmon: (adc128d818) Fix underflows seen when writing limit attributes
(CVE-2024-46759)
- hwmon: (lm95234) Fix underflows seen when writing limit attributes
(CVE-2024-46758)
- hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
(CVE-2024-46757)
- hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
(CVE-2024-46756)
- libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
- wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
(CVE-2024-46755)
- btrfs: replace BUG_ON with ASSERT in walk_down_proc()
- btrfs: clean up our handling of refs == 0 in snapshot delete
(CVE-2024-46840)
- PCI: Add missing bridge lock to pci_bus_lock() (CVE-2024-46750)
- HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
(CVE-2024-46747)
- Input: uinput - reject requests with unreasonable number of slots
(CVE-2024-46745)
- usbnet: ipheth: race between ipheth_close and error handling
- Squashfs: sanity check symbolic link size (CVE-2024-46744)
- of/irq: Prevent device address out-of-bounds read in interrupt map walk
(CVE-2024-46743)
- lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
- NFSv4: Add missing rescheduling points in
nfs_client_return_marked_delegations
- iio: buffer-dmaengine: fix releasing dma channel on error
- iio: fix scale application in iio_convert_raw_to_processed_unlocked
- iio: adc: ad7124: fix chip ID mismatch
- binder: fix UAF caused by offsets overwrite (CVE-2024-46740)
- nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc
- [x86] uio_hv_generic: Fix kernel NULL pointer dereference in
hv_uio_rescind (CVE-2024-46739)
- [x86] Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic
- [x86] VMCI: Fix use-after-free when removing resource in
vmci_resource_remove() (CVE-2024-46738)
- clocksource/drivers/timer-of: Remove percpu irq related code
- uprobes: Use kzalloc to allocate xol area
- perf/aux: Fix AUX buffer serialization (CVE-2024-46713)
- nilfs2: replace snprintf in show functions with sysfs_emit
- nilfs2: protect references to superblock parameters exposed in sysfs
(CVE-2024-46780)
- ACPI: processor: Return an error if acpi_processor_get_info() fails in
processor_add()
- ACPI: processor: Fix memory leaks in error paths of processor_add()
- [arm64] acpi: Move get_cpu_for_acpi_id() to a header
- [arm64] acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
(CVE-2024-46822)
- nvmet-tcp: fix kernel crash if commands allocation fails (CVE-2024-46737)
- mmc: cqhci: Fix checking of CQHCI_HALT state
- rtmutex: Drop rt_mutex::wait_lock before scheduling (CVE-2024-46829)
- [i386] x86/mm: Fix PTI for i386 some more
- net, sunrpc: Remap EPERM in case of connection failure in
xs_tcp_setup_socket (CVE-2024-42246)
- memcg: protect concurrent access to mem_cgroup_idr (CVE-2024-43892)
.
[ Ben Hutchings ]
* Drop "netfilter: ipset: Add list flush to cancel_gc", included in 5.10.224
* Bump ABI to 33
* debian/README.source: Tag signatures are automatically verified
* d/bin/genorig.py, d/README.source: Only support Git as upstream
* d/bin/genorig.py, d/README.source: Add support for remote upstream repos
* lintian: Refresh lintian-overrides
* d/bin/gencontrol.py, d/lib/python: Use classes for build restriction
formulae
* d/bin/gencontrol.py, d/rules.real: Replace DEBUG variable with if_package
* Introduce pkg.linux.quick build profile for quicker CI builds
* d/salsa-ci.yml: Add CI config using some of the common pipeline
* d/salsa-ci.yml, d/tests/python: Only run static checks in CI
* d/salsa-ci.yml: Run kconfigeditor2 as kconfig static check
* d/salsa-ci.yml: Use per-release cache of orig tarballs
* d/bin/gencontrol_signed.py: Add support for pkg.linux.quick profile
* lintian: Add lintian-overrides to linux-signed-* for non-issues
* d/salsa-ci.yml: Don't disable signed code
* d/certs: Add certificate and key to enable test signing in CI
* d/salsa-ci.yml: Add jobs to build and test the signed packages
* d/tests: Remove obsolete dependencies of python test
* d/tests: Add kbuild test that builds a trivial OOT module
* lintian: Update overrides for lintian 2.115
* d/tests: kbuild test case depends on python3
* d/tests: Run kbuild test with default flavour if quick flavour not defined
* d/lib/python/debian_linux/debian.py: Add Architecture field to TestsControl
* d/tests: Restrict kbuild tests to architectures with default or quick
flavour
* d/tests/kbuild: Fix default-flavour lookup for arches with no featuresets
* d/tests/kbuild: Make flavour lookup verbose
* d/lib/python/debian_linux, d/templates: Use variable for binary package
name
* lintian: Update overrides in linux-image-*-dbg for lintian 2.115
* [arm64] lintian: Override errors for vdso32.so in linux-image-*-dbg
* d/salsa-ci.yml: Use !reference to include scripts from common pipeline
* d/salsa-ci.yml: Remove obsolete lintian error suppressions
* d/salsa-ci.yml: Run extract-source job in target release, not unstable
* d/salsa-ci.yml: Set RELEASE to bullseye
* d/config: Delete config settings for removed and automatic symbols
* hyperv-daemons: Add lintian-override for depends-on-obsolete-package
* [rt] Update to 5.10.225-rt117
* [rt] Refresh patches:
- Refresh "locking/rtmutex: Remove output from deadlock detector."
- Refresh "locking/rtmutex: Provide rt_mutex_slowlock_locked()"
- Refresh "locking/rtmutex: add ww_mutex addon for mutex-rt"
* cgroup: Fix locking regression in 5.10.225:
- cgroup: Make operations on the cgroup root_list RCU safe
- cgroup: Move rcu_head up near the top of cgroup_roo
* [x86] Fix CPU matching regression in 5.10.221:
- Input: goodix - use the new soc_intel_is_byt() helper
- powercap: RAPL: fix invalid initialization for pl4_supported field
- x86/mm: Switch to new Intel CPU model defines
* bpf: Fix memory accounting regression in 5.10.214:
- Revert "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches"
- Revert "bpf: Eliminate rlimit-based memory accounting for devmap maps"
- bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
.
[ Mateusz Łukasik ]
* d/salsa-ci.yml: Add linux-compiler-* packages to build-signed job artifacts
.
[ Martyn Welch ]
* Increase timeout of CI build stage to 3 hours to enable build to complete
Checksums-Sha1:
dd9f923be52e2fa2d5537acfab8535b0ffc01de6 8609 linux-signed-amd64_5.10.226+1.dsc
38882916da01cde3a8ae0a4444ade9f57c851057 2950544 linux-signed-amd64_5.10.226+1.tar.xz
Checksums-Sha256:
9ceb4a8875eed7aecf655903d0a7bdb5c771a08b579977f8a6356ce9c2044e37 8609 linux-signed-amd64_5.10.226+1.dsc
a10dd1a9bceb68bc171f5cbb87ebb667d5c6ca6bf479a8cc4e11d372d3be4dfb 2950544 linux-signed-amd64_5.10.226+1.tar.xz
Files:
e5b9c4a62c0fee2b7308899cfae07617 8609 kernel optional linux-signed-amd64_5.10.226+1.dsc
951a68e28df25f20b30c1268db3bd829 2950544 kernel optional linux-signed-amd64_5.10.226+1.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfKFfvHEI+gkU+E+di0FRiLdONzYFAmcCeJQACgkQi0FRiLdO
NzZ+Lw/8CJom+EGt6V0AXGsFjSUyCmGPH/HHLjiPHprYn0tmP43sXcRp6cZnfh+G
/tEuR719QWE7xN3lhD/sUVXMe2KnDjwIBEGhE1pgOkJ0gLo3Te12Upb2x1mqXDze
ivO2soaKHXRzf3qWPF3tYnTiQFjtv/02KCObQh3qd79p+5NLc7cxPn3KmqNMl9y/
i5FVmGaOKXd+5RIb849oNghVjKW6xqHD6ReLuHtOSH0Qw+SdgQmINzw6+tybftkJ
enCvtv61u0yKV+1bqUCPPr64U/0Tq31ikaxUCgVkcoZ91eY7ni2wb5eGEj06xgbB
k4YIk4sL4fOojSk/4zp2jTfdzXQj5QNigR2F1VsJgHcWgTbpWjGhGIYQynEZ/433
bBK8vHd8Hvee8DakS4VCIc5h5Bh/I/K7+3V/84TPpV8kFXONmTepdbHRt5ujjPqd
2ZGLzUAD5hlUy1qqK1rZHj6LRw98ZaqAoeiqumVtDiAMusFXt10SBSinyU27L0J2
VzRmgWZoawYBpndLNLoeEXdxKyhICGQBUFrgDxtrJ4X98vMuJ8FkjYr5LtE1vmoV
ofpahkuSf5ompltB++0oBMQ4Y2u42ocIlPFQSvAWAOUodltz43lat+gJMvF4bFJL
NwgQmUNMNWDOMsAo2ofCND4AtfBu+OLaMZf4LJZjfL2/6/Fs6Sk=
=L/kn
-----END PGP SIGNATURE-----
