Package "linux"

 linux (5.4.0-207.227) focal; urgency=medium
 .
   * focal/linux: 5.4.0-207.227 -proposed tracker (LP: #2095347)
 .
   * Remove "ftrace: Fix possible use-after-free issue in ftrace_location()" bad
     commit from focal (LP: #2095348)
     - Revert "ftrace: Fix possible use-after-free issue in ftrace_location()"
 .

 linux (5.4.0-206.226) focal; urgency=medium
 .
   * focal/linux: 5.4.0-206.226 -proposed tracker (LP: #2093785)
 .
   * nouveau keeps showing `disp: ctrl 00000080` and crippling the system
     (LP: #2078011)
     - drm/nouveau/disp/gv100-: halt NV_PDISP_FE_RM_INTR_STAT_CTRL_DISP_ERROR
       storms
     - drm/nouveau/kms/gv100-: move window ownership setup into modesetting path
     - drm/nouveau/kms/gv100-: avoid sending a core update until the first modeset
 .
   * CVE-2024-43863
     - drm/vmwgfx: Fix a deadlock in dma buf fence polling
 .
   * CVE-2024-40911
     - wifi: cfg80211: Lock wiphy in cfg80211_get_station
 .
   * CVE-2024-35896
     - netfilter: validate user input for expected length
     - netfilter: complete validation of user input
 .
   * CVE-2023-52458
     - block: add check that partition length needs to be aligned with block size
 .
   * kernel:nft "Could not process rule: Device or resource busy" on unreferenced
     chain (LP: #2089699)
     - SAUCE: netfilter: nf_tables: Fix EBUSY on deleting unreferenced chain
 .
   * CVE-2024-35887
     - lockdep: Add preemption enabled/disabled assertion APIs
     - timers: Don't block on ->expiry_lock for TIMER_IRQSAFE timers
     - Documentation: Remove bogus claim about del_timer_sync()
     - ARM: spear: Do not use timer namespace for timer_shutdown() function
     - clocksource/drivers/arm_arch_timer: Do not use timer namespace for
       timer_shutdown() function
     - clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown()
       function
     - timers: Get rid of del_singleshot_timer_sync()
     - timers: Replace BUG_ON()s
     - timers: Rename del_timer() to timer_delete()
     - Documentation: Replace del_timer/del_timer_sync()
     - timers: Silently ignore timers with a NULL function
     - timers: Split [try_to_]del_timer[_sync]() to prepare for shutdown mode
     - timers: Add shutdown mechanism to the internal functions
     - timers: Provide timer_shutdown[_sync]()
     - timers: Update the documentation to reflect on the new timer_shutdown() API
     - ax25: fix use-after-free bugs caused by ax25_ds_del_timer
 .
   * CVE-2024-40965
     - clk: Add a devm variant of clk_rate_exclusive_get()
     - clk: Provide !COMMON_CLK dummy for devm_clk_rate_exclusive_get()
     - i2c: lpi2c: Avoid calling clk_get_rate during transfer
 .
   * CVE-2024-40982
     - ssb: Fix potential NULL pointer dereference in ssb_device_uevent()
 .
   * CVE-2024-41066
     - ibmvnic: Add tx check to prevent skb leak
 .
   * CVE-2024-42252
     - closures: Change BUG_ON() to WARN_ON()
 .
   * CVE-2024-46731
     - drm/amd/pm: fix the Out-of-bounds read warning
 .
   * Focal update: v5.4.286 upstream stable release (LP: #2089558)
     - arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-
       excavator
     - arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328
     - arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards
     - arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion
     - ARM: dts: rockchip: fix rk3036 acodec node
     - ARM: dts: rockchip: drop grf reference from rk3036 hdmi
     - ARM: dts: rockchip: Fix the spi controller on rk3036
     - ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
     - enetc: simplify the return expression of enetc_vf_set_mac_addr()
     - net: enetc: set MAC address to the VF net_device
     - can: c_can: fix {rx,tx}_errors statistics
     - media: stb0899_algo: initialize cfr before using it
     - media: dvb_frontend: don't play tricks with underflow values
     - media: adv7604: prevent underflow condition when reporting colorspace
     - ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
     - pwm: imx-tpm: Use correct MODULO value for EPWM mode
     - drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
     - dm cache: correct the number of origin blocks to match the target length
     - dm cache: optimize dirty bit checking with find_next_bit when resizing
     - dm-unstriped: cast an operand to sector_t to prevent potential uint32_t
       overflow
     - mtd: rawnand: protect access to rawnand devices while in suspend
     - spi: fix use-after-free of the add_lock mutex
     - media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in
       uvc_parse_format
     - fs/proc: fix compile warning about variable 'vmcore_mmap_ops'
     - USB: serial: qcserial: add support for Sierra Wireless EM86xx
     - USB: serial: option: add Fibocom FG132 0x0112 composition
     - USB: serial: option: add Quectel RG650V
     - irqchip/gic-v3: Force propagation of the active state with a read-back
     - ALSA: usb-audio: Support jack detection on Dell dock
     - ALSA: usb-audio: Add quirks for Dell WD19 dock
     - NFSD: Fix NFSv4's PUTPUBFH operation
     - ALSA: usb-audio: Add endianness annotations
     - 9p: Avoid creating multiple slab caches with the same name
     - HID: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad
     - bpf: use kvzmalloc to allocate BPF verifier environment
     - sound: Make CONFIG_SND depend on INDIRECT_IOMEM instead of UML
     - powerpc/powernv: Free name on error in opal_event_init()
     - fs: Fix uninitialized value issue in from_kuid and from_kgid
     - net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition
     - md/raid10: improve code of mrdev in raid10_sync_request
     - mm: clarify a confusing comment for remap_pfn_range()
     - mm: fix ambiguous comments for better code readability
     - mm/memory.c: make remap_pfn_range() reject unaligned addr
     - mm: add remap_pfn_range_notrack
     - 9p: fix slab cache name creation for real
     - Linux 5.4.286
 .
   * Focal update: v5.4.286 upstream stable release (LP: #2089558) //
     CVE-2024-47674
     - mm: avoid leaving partial pfn mappings around in error case
 .
   * Focal update: v5.4.286 upstream stable release (LP: #2089558) //
     CVE-2024-38588
     - ftrace:

 linux (5.4.0-202.222) focal; urgency=medium
 .
   * focal/linux: 5.4.0-202.222 -proposed tracker (LP: #2086451)
     - [Packaging] resync git-ubuntu-log
 .
   * CVE-2021-47501
     - i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc
 .
   * CVE-2024-46724
     - drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
 .
   * CVE-2024-42240
     - x86/bhi: Avoid warning in #DB handler due to BHI mitigation
 .
   * CVE-2024-42077
     - ocfs2: fix DIO failure due to insufficient transaction credits
 .
   * CVE-2024-42068
     - bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()
 .
   * CVE-2024-36968
     - Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init()
 .
   * CVE-2024-35904
     - selinux: avoid dereference of garbage after mount failure
 .
   * CVE-2023-52498
     - PM: sleep: Avoid calling put_device() under dpm_list_mtx
     - PM: sleep: Fix error handling in dpm_prepare()
     - async: Split async_schedule_node_domain()
     - async: Introduce async_schedule_dev_nocall()
     - PM: sleep: Fix possible deadlocks in core system-wide PM code
 .
   * CVE-2023-52488
     - serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO
 .
   * CVE-2022-48938
     - CDC-NCM: avoid overflow in sanity checking
 .
   * CVE-2024-42156
     - s390/pkey: Wipe copies of clear-key structures on failure
 .
   * CVE-2024-44942
     - f2fs: fix to do sanity check on F2FS_INLINE_DATA flag in inode during GC
 .
   * CVE-2024-38538
     - net: bridge: xmit: make sure we have at least eth header len bytes
 .
   * CVE-2021-47076
     - RDMA/rxe: Return CQE error if invalid lkey was supplied
 .
   * CVE-2024-36938
     - bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue
 .
   * CVE-2024-44940
     - fou: remove warn in gue_gro_receive on unsupported protocol
 .
   * CVE-2024-35951
     - drm/panfrost: Fix the error path in panfrost_mmu_map_fault_addr()
 .
   * CVE-2023-52497
     - erofs: fix lz4 inplace decompression
 .
   * CVE-2024-36953
     - KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()
 .
   * CVE-2022-48943
     - KVM: x86/mmu: make apf token non-zero to fix bug
 .
   * CVE-2024-26947
     - ARM: 9359/1: flush: check if the folio is reserved for no-mapping addresses
 .
   * CVE-2022-48733
     - btrfs: fix use-after-free after failure to create a snapshot
 .
   * CVE-2023-52639
     - KVM: s390: vsie: fix race during shadow creation

 linux (5.4.0-200.220) focal; urgency=medium
 .
   * focal/linux: 5.4.0-200.220 -proposed tracker (LP: #2082937)
 .
   * Packaging resync (LP: #1786013)
     - [Packaging] debian.master/dkms-versions -- update from kernel-versions
       (main/2024.09.30)
 .
   * CVE-2024-26800
     - tls: rx: coalesce exit paths in tls_decrypt_sg()
     - tls: separate no-async decryption request handling from async
     - tls: fix use-after-free on failed backlog decryption
 .
   * CVE-2024-26641
     - ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
 .
   * CVE-2021-47212
     - net/mlx5: Update error handler for UCTX and UMEM
 .
   * wbt:wbt_* trace event NULL pointer dereference with GENHD_FL_HIDDEN disks
     (LP: #2081085)
     - bdi: use bdi_dev_name() to get device name
 .
   * Focal update: v5.4.284 upstream stable release (LP: #2081278)
     - drm: panel-orientation-quirks: Add quirk for OrangePi Neo
     - i2c: Fix conditional for substituting empty ACPI functions
     - net: usb: qmi_wwan: add MeiG Smart SRM825L
     - drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
     - drm/amdgpu: fix overflowed array index read warning
     - drm/amd/display: Check gpio_id before used as array index
     - drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6
     - drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
     - drm/amd/display: Fix Coverity INTEGER_OVERFLOW within
       dal_gpio_service_create
     - drm/amdgpu: fix ucode out-of-bounds read warning
     - drm/amdgpu: fix mc_data out-of-bounds read warning
     - drm/amdkfd: Reconcile the definition and use of oem_id in struct
       kfd_topology_device
     - apparmor: fix possible NULL pointer dereference
     - ionic: fix potential irq name truncation
     - usbip: Don't submit special requests twice
     - usb: typec: ucsi: Fix null pointer dereference in trace
     - smack: tcp: ipv4, fix incorrect labeling
     - wifi: cfg80211: make hash table duplicates more survivable
     - drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
     - media: uvcvideo: Enforce alignment of frame and interval
     - block: initialize integrity buffer to zero before writing it to media
     - net: set SOCK_RCU_FREE before inserting socket into hashtable
     - virtio_net: Fix napi_skb_cache_put warning
     - udf: Limit file size to 4TB
     - i2c: Use IS_REACHABLE() for substituting empty ACPI functions
     - sch/netem: fix use after free in netem_dequeue
     - ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object
     - ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius
       devices
     - ata: libata: Fix memory leak for error path in ata_host_alloc()
     - irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
     - mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
     - mmc: sdhci-of-aspeed: fix module autoloading
     - fuse: update stats for pages in dropped aux writeback list
     - fuse: use unsigned type for getxattr/listxattr size truncation
     - reset: hi6220: Add support for AO reset controller
     - clk: hi6220: use CLK_OF_DECLARE_DRIVER
     - clk: qcom: clk-alpha-pll: Fix the pll post div mask
     - clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API
     - ila: call nf_unregister_net_hooks() sooner
     - sched: sch_cake: fix bulk flow accounting logic for host fairness
     - nilfs2: fix missing cleanup on rollforward recovery error
     - nilfs2: fix state management in error path of log writing function
     - ALSA: hda: Add input value sanity checks to HDMI channel map controls
     - smack: unix sockets: fix accept()ed socket label
     - irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
     - af_unix: Remove put_pid()/put_cred() in copy_peercred().
     - netfilter: nf_conncount: fix wrong variable type
     - udf: Avoid excessive partition lengths
     - wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
     - usb: uas: set host status byte on data completion error
     - PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)
     - media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
     - pcmcia: Use resource_size function on resource object
     - can: bcm: Remove proc entry when dev is unregistered.
     - igb: Fix not clearing TimeSync interrupts for 82580
     - platform/x86: dell-smbios: Fix error path in dell_smbios_init()
     - tcp_bpf: fix return value of tcp_bpf_sendmsg()
     - cx82310_eth: re-enable ethernet mode after router reboot
     - drivers/net/usb: Remove all strcpy() uses
     - net: usb: don't write directly to netdev->dev_addr
     - usbnet: modern method to get random MAC
     - net: bridge: fdb: convert is_local to bitops
     - net: bridge: fdb: convert is_static to bitops
     - net: bridge: fdb: convert is_sticky to bitops
     - net: bridge: fdb: convert added_by_user to bitops
     - net: bridge: fdb: convert added_by_external_learn to use bitops
     - net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
     - net: dsa: vsc73xx: fix possible subblocks range of CAPT block
     - ASoC: topology: Properly initialize soc_enum values
     - dm init: Handle minors larger than 255
     - iommu/vt-d: Handle volatile descriptor status read
     - cgroup: Protect css->cgroup write under css_set_lock
     - um: line: always fill *error_out in setup_one_line()
     - devres: Initialize an uninitialized struct member
     - pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
     - hwmon: (adc128d818) Fix underflows seen when writing limit attributes
     - hwmon: (lm95234) Fix underflows seen when writing limit attributes
     - hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
     - hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
     - libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
     - wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
     - smp: Add

 linux (5.4.0-197.217) focal; urgency=medium
 .
   * focal/linux: 5.4.0-197.217 -proposed tracker (LP: #2080615)
 .
   * Packaging resync (LP: #1786013)
     - [Packaging] debian.master/dkms-versions -- update from kernel-versions
       (main/2024.09.02)
 .
   * Focal update: v5.4.283 upstream stable release (LP: #2080595)
     - fuse: Initialize beyond-EOF page contents before setting uptodate
     - ALSA: usb-audio: Support Yamaha P-125 quirk entry
     - xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration
     - s390/dasd: fix error recovery leading to data corruption on ESE devices
     - arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to
       NUMA_NO_NODE
     - dm resume: don't return EINVAL when signalled
     - dm persistent data: fix memory allocation failure
     - vfs: Don't evict inode under the inode lru traversing context
     - bitmap: introduce generic optimized bitmap_size()
     - fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
     - selinux: fix potential counting error in avc_add_xperms_decision()
     - drm/amdgpu: Actually check flags for all context ops.
     - memcg_write_event_control(): fix a user-triggerable oops
     - overflow.h: Add flex_array_size() helper
     - overflow: Implement size_t saturating arithmetic helpers
     - s390/cio: rename bitmap_size() -> idset_bitmap_size()
     - btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
     - s390/uv: Panic for set and remove shared access UVC errors
     - net/mlx5e: Correctly report errors for ethtool rx flows
     - atm: idt77252: prevent use after free in dequeue_rx()
     - net: axienet: Fix DMA descriptor cleanup path
     - net: axienet: Improve DMA error handling
     - net: axienet: Factor out TX descriptor chain cleanup
     - net: axienet: Check for DMA mapping errors
     - net: axienet: Drop MDIO interrupt registers from ethtools dump
     - net: axienet: Wrap DMA pointer writes to prepare for 64 bit
     - net: axienet: Upgrade descriptors to hold 64-bit addresses
     - net: axienet: Autodetect 64-bit DMA capability
     - net: axienet: Fix register defines comment description
     - net: dsa: vsc73xx: pass value in phy_write operation
     - net: hns3: fix a deadlock problem when config TC during resetting
     - ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
     - ssb: Fix division by zero issue in ssb_calc_clock_rate
     - wifi: cw1200: Avoid processing an invalid TIM IE
     - i2c: riic: avoid potential division by zero
     - media: radio-isa: use dev_name to fill in bus_info
     - staging: ks7010: disable bh on tx_dev_lock
     - binfmt_misc: cleanup on filesystem umount
     - scsi: spi: Fix sshdr use
     - gfs2: setattr_chown: Add missing initialization
     - wifi: iwlwifi: abort scan when rfkill on but device enabled
     - IB/hfi1: Fix potential deadlock on &irq_src_lock and &dd->uctxt_lock
     - powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu
     - nvmet-trace: avoid dereferencing pointer too early
     - ext4: do not trim the group with corrupted block bitmap
     - quota: Remove BUG_ON from dqget()
     - media: pci: cx23885: check cx23885_vdev_init() return
     - fs: binfmt_elf_efpic: don't use missing interpreter's properties
     - scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list()
     - net/sun3_82586: Avoid reading past buffer in debug output
     - drm/lima: set gp bus_stop bit before hard reset
     - virtiofs: forbid newlines in tags
     - md: clean up invalid BUG_ON in md_ioctl
     - x86: Increase brk randomness entropy for 64-bit systems
     - powerpc/boot: Handle allocation failure in simple_realloc()
     - powerpc/boot: Only free if realloc() succeeds
     - btrfs: change BUG_ON to assertion when checking for delayed_node root
     - btrfs: handle invalid root reference found in may_destroy_subvol()
     - btrfs: send: handle unexpected data in header buffer in begin_cmd()
     - btrfs: delete pointless BUG_ON check on quota root in
       btrfs_qgroup_account_extent()
     - f2fs: fix to do sanity check in update_sit_entry
     - usb: gadget: fsl: Increase size of name buffer for endpoints
     - nvme: clear caller pointer on identify failure
     - Bluetooth: bnep: Fix out-of-bound access
     - nvmet-tcp: do not continue for invalid icreq
     - NFS: avoid infinite loop in pnfs_update_layout.
     - openrisc: Call setup_memory() earlier in the init sequence
     - s390/iucv: fix receive buffer virtual vs physical address confusion
     - usb: dwc3: core: Skip setting event buffers for host only controllers
     - irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
     - ext4: set the type of max_zeroout to unsigned int to avoid overflow
     - nvmet-rdma: fix possible bad dereference when freeing rsps
     - hrtimer: Prevent queuing of hrtimer without a function callback
     - gtp: pull network headers in gtp_dev_xmit()
     - block: use "unsigned long" for blk_validate_block_size().
     - media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)
     - dm mpath: pass IO start time to path selector
     - dm: do not use waitqueue for request-based DM
     - dm suspend: return -ERESTARTSYS instead of -EINTR
     - Bluetooth: Make use of __check_timeout on hci_sched_le
     - Bluetooth: hci_core: Fix not handling link timeouts propertly
     - Bluetooth: hci_core: Fix LE quote calculation
     - tc-testing: don't access non-existent variable on exception
     - kcm: Serialise kcm_sendmsg() for the same socket.
     - netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
     - net: dsa: mv88e6xxx: global2: Expose ATU stats register
     - net: dsa: mv88e6xxx: global1_atu: Add helper for get next
     - net: dsa: mv88e6xxx: read FID when handling ATU violations
     - net: dsa: mv88e6xxx: replace ATU violation prints with trace points
     - net: dsa: mv88e6xxx: Fix out-o