Package "linux"

 linux (5.4.0-214.234) focal; urgency=medium
 .
   * focal/linux: 5.4.0-214.234 -proposed tracker (LP: #2102635)
 .
   * CVE-2024-50256
     - netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()
 .
   * CVE-2025-21702
     - pfifo_tail_enqueue: Drop new packet when sch->limit == 0
 .
   * CVE-2025-21703
     - netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()
 .
   * CVE-2024-26915
     - drm/amdgpu: Reset IH OVERFLOW_CLEAR bit
 .
   * CVE-2025-21700
     - net: sched: Disallow replacing of child qdisc from one parent to another
 .
   * CVE-2024-46826
     - ELF: fix kernel.randomize_va_space double read
 .
   * CVE-2024-56651
     - can: hi311x: hi3110_can_ist(): fix potential use-after-free
 .
   * CVE-2024-53237
     - driver core: Introduce device_find_any_child() helper
     - Bluetooth: fix use-after-free in device_for_each_child()
 .
   * CVE-2024-35958
     - net: ena: Fix incorrect descriptor free behavior
 .
   * CVE-2024-49974
     - NFSD: Limit the number of concurrent async COPY operations
 .
   * CVE-2021-47119
     - ext4: fix memory leak in ext4_fill_super
 .
   * CVE-2024-56658
     - net: defer final 'struct net' free in netns dismantle
 .
   * CVE-2024-35864
     - smb: client: fix potential UAF in smb2_is_valid_lease_break()
 .
   * CVE-2024-35864/CVE-2024-26928
     - smb: client: fix potential UAF in cifs_debug_files_proc_show()

 linux (5.4.0-211.231) focal; urgency=medium
 .
   * focal/linux: 5.4.0-211.231 -proposed tracker (LP: #2101996)
 .
   * cve-2018-5803 kernel panic (LP: #2101091)
     - SAUCE: sctp: sysctl: pass right argument to container_of
 .

 linux (5.4.0-210.230) focal; urgency=medium
 .
   * focal/linux: 5.4.0-210.230 -proposed tracker (LP: #2098353)
 .
   * Focal update: v5.4.290 upstream stable release (LP: #2098439)
     - jbd2: flush filesystem device before updating tail sequence
     - dm array: fix releasing a faulty array block twice in dm_array_cursor_end
     - dm array: fix unreleased btree blocks on closing a faulty array cursor
     - dm array: fix cursor index when skipping across block boundaries
     - ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe()
     - net: 802: LLC+SNAP OID:PID lookup on start of skb data
     - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
     - tcp/dccp: allow a connection when sk_max_ack_backlog is zero
     - net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
     - tls: Fix tls_sw_sendmsg error handling
     - dm thin: make get_first_thin use rcu-safe list first function
     - sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
     - sctp: sysctl: auth_enable: avoid using current->nsproxy
     - drm/amd/display: Add check for granularity in dml ceil/floor helpers
     - ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]
     - ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]
     - drm/amd/display: increase MAX_SURFACES to the value supported by hw
     - USB: serial: option: add MeiG Smart SRM815
     - USB: serial: option: add Neoway N723-EA support
     - staging: iio: ad9834: Correct phase range check
     - staging: iio: ad9832: Correct phase range check
     - usb-storage: Add max sectors quirk for Nokia 208
     - USB: serial: cp210x: add Phoenix Contact UPS Device
     - usb: gadget: u_serial: Disable ep before setting port to null to fix the
       crash caused by port being null
     - USB: usblp: return error when setting unsupported protocol
     - USB: core: Disable LPM only for non-suspended ports
     - usb: fix reference leak in usb_new_device()
     - usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
     - iio: pressure: zpa2326: fix information leak in triggered buffer
     - iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered
       buffer
     - iio: light: vcnl4035: fix information leak in triggered buffer
     - iio: imu: kmx61: fix information leak in triggered buffer
     - iio: adc: ti-ads8688: fix information leak in triggered buffer
     - iio: gyro: fxas21002c: Fix missing data update in trigger handler
     - iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
     - iio: adc: at91: call input_free_device() on allocated iio_dev
     - iio: inkern: call iio_device_put() only on mapped devices
     - arm64: dts: rockchip: fix defines in pd_vio node for rk3399
     - arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399
     - arm64: dts: rockchip: add #power-domain-cells to power domain nodes
     - arm64: dts: rockchip: add hevc power domain clock to rk3328
     - phy: core: fix code style in devm_of_phy_provider_unregister
     - phy: core: Fix that API devm_of_phy_provider_unregister() fails to
       unregister the phy provider
     - ocfs2: correct return value of ocfs2_local_free_info()
     - ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
     - sctp: sysctl: rto_min/max: avoid using current->nsproxy
     - net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()
     - net: net_namespace: Optimize the code
     - net: add exit_batch_rtnl() method
     - gtp: use exit_batch_rtnl() method
     - gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().
     - gtp: Destroy device along with udp socket's netns dismantle.
     - nfp: bpf: prevent integer overflow in nfp_bpf_event_output()
     - drm/v3d: Ensure job pointer is set to NULL after job completion
     - i2c: mux: demux-pinctrl: check initial mux selection, too
     - mac802154: check local interfaces before deleting sdata list
     - hfs: Sanity check the root record
     - kheaders: Ignore silly-rename files
     - poll_wait: add mb() to fix theoretical race between waitqueue_active() and
       .poll()
     - nvmet: propagate npwg topology
     - net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
     - fs/proc: fix softlockup in __read_vmcore (part 2)
     - irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly
     - hrtimers: Handle CPU state correctly on hotplug
     - ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
     - scsi: sg: Fix slab-use-after-free read in sg_release()
     - net: fix data-races around sk->sk_forward_alloc
     - ASoC: wm8994: Add depends on MFD core
     - scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request
     - irqchip/sunxi-nmi: Add missing SKIP_WAKE flag
     - gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
     - m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal
     - m68k: Add missing mmap_read_lock() to sys_cacheflush()
     - signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die
     - net: xen-netback: hash.c: Use built-in RCU list checking
     - net/xen-netback: prevent UAF in xenvif_flush_hash()
     - vfio/platform: check the bounds of read/write syscalls
     - ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path
     - ext4: fix slab-use-after-free in ext4_split_extent_at()
     - USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
     - Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix
       the crash caused by port being null"
     - Input: atkbd - map F23 key to support default copilot shortcut
     - Input: xpad - add unofficial Xbox 360 wireless receiver clone
     - Input: xpad - add support for wooting two he (arm)
     - drm/v3d: Assign job pointer to NULL before signaling the fence
     - xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals
     - Partial revert of xhci: use pm_ptr() inste

 linux (5.4.0-208.228) focal; urgency=medium
 .
   * CVE-2025-0927
     - SAUCE: fs: hfs/hfsplus: add key_len boundary check to hfs_bnode_read_key
 .

 linux (5.4.0-207.227) focal; urgency=medium
 .
   * focal/linux: 5.4.0-207.227 -proposed tracker (LP: #2095347)
 .
   * Remove "ftrace: Fix possible use-after-free issue in ftrace_location()" bad
     commit from focal (LP: #2095348)
     - Revert "ftrace: Fix possible use-after-free issue in ftrace_location()"
 .