Package "linux"

  linux (5.4.0-214.234) focal; urgency=medium

  * focal/linux: 5.4.0-214.234 -proposed tracker (LP: #2102635)

  * CVE-2024-50256
    - netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

  * CVE-2025-21702
    - pfifo_tail_enqueue: Drop new packet when sch->limit == 0

  * CVE-2025-21703
    - netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()

  * CVE-2024-26915
    - drm/amdgpu: Reset IH OVERFLOW_CLEAR bit

  * CVE-2025-21700
    - net: sched: Disallow replacing of child qdisc from one parent to another

  * CVE-2024-46826
    - ELF: fix kernel.randomize_va_space double read

  * CVE-2024-56651
    - can: hi311x: hi3110_can_ist(): fix potential use-after-free

  * CVE-2024-53237
    - driver core: Introduce device_find_any_child() helper
    - Bluetooth: fix use-after-free in device_for_each_child()

  * CVE-2024-35958
    - net: ena: Fix incorrect descriptor free behavior

  * CVE-2024-49974
    - NFSD: Limit the number of concurrent async COPY operations

  * CVE-2021-47119
    - ext4: fix memory leak in ext4_fill_super

  * CVE-2024-56658
    - net: defer final 'struct net' free in netns dismantle

  * CVE-2024-35864
    - smb: client: fix potential UAF in smb2_is_valid_lease_break()

  * CVE-2024-35864/CVE-2024-26928
    - smb: client: fix potential UAF in cifs_debug_files_proc_show()

 -- Stefan Bader <email address hidden> Fri, 14 Mar 2025 15:42:15 +0100

  linux (5.4.0-211.231) focal; urgency=medium

  * focal/linux: 5.4.0-211.231 -proposed tracker (LP: #2101996)

  * cve-2018-5803 kernel panic (LP: #2101091)
    - SAUCE: sctp: sysctl: pass right argument to container_of

  linux (5.4.0-210.230) focal; urgency=medium

  * focal/linux: 5.4.0-210.230 -proposed tracker (LP: #2098353)

  * Focal update: v5.4.290 upstream stable release (LP: #2098439)
    - jbd2: flush filesystem device before updating tail sequence
    - dm array: fix releasing a faulty array block twice in dm_array_cursor_end
    - dm array: fix unreleased btree blocks on closing a faulty array cursor
    - dm array: fix cursor index when skipping across block boundaries
    - ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe()
    - net: 802: LLC+SNAP OID:PID lookup on start of skb data
    - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
    - tcp/dccp: allow a connection when sk_max_ack_backlog is zero
    - net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
    - tls: Fix tls_sw_sendmsg error handling
    - dm thin: make get_first_thin use rcu-safe list first function
    - sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
    - sctp: sysctl: auth_enable: avoid using current->nsproxy
    - drm/amd/display: Add check for granularity in dml ceil/floor helpers
    - ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]
    - ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]
    - drm/amd/display: increase MAX_SURFACES to the value supported by hw
    - USB: serial: option: add MeiG Smart SRM815
    - USB: serial: option: add Neoway N723-EA support
    - staging: iio: ad9834: Correct phase range check
    - staging: iio: ad9832: Correct phase range check
    - usb-storage: Add max sectors quirk for Nokia 208
    - USB: serial: cp210x: add Phoenix Contact UPS Device
    - usb: gadget: u_serial: Disable ep before setting port to null to fix the
      crash caused by port being null
    - USB: usblp: return error when setting unsupported protocol
    - USB: core: Disable LPM only for non-suspended ports
    - usb: fix reference leak in usb_new_device()
    - usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
    - iio: pressure: zpa2326: fix information leak in triggered buffer
    - iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered
      buffer
    - iio: light: vcnl4035: fix information leak in triggered buffer
    - iio: imu: kmx61: fix information leak in triggered buffer
    - iio: adc: ti-ads8688: fix information leak in triggered buffer
    - iio: gyro: fxas21002c: Fix missing data update in trigger handler
    - iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
    - iio: adc: at91: call input_free_device() on allocated iio_dev
    - iio: inkern: call iio_device_put() only on mapped devices
    - arm64: dts: rockchip: fix defines in pd_vio node for rk3399
    - arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399
    - arm64: dts: rockchip: add #power-domain-cells to power domain nodes
    - arm64: dts: rockchip: add hevc power domain clock to rk3328
    - phy: core: fix code style in devm_of_phy_provider_unregister
    - phy: core: Fix that API devm_of_phy_provider_unregister() fails to
      unregister the phy provider
    - ocfs2: correct return value of ocfs2_local_free_info()
    - ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
    - sctp: sysctl: rto_min/max: avoid using current->nsproxy
    - net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()
    - net: net_namespace: Optimize the code
    - net: add exit_batch_rtnl() method
    - gtp: use exit_batch_rtnl() method
    - gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().
    - gtp: Destroy device along with udp socket's netns dismantle.
    - nfp: bpf: prevent integer overflow in nfp_bpf_event_output()
    - drm/v3d: Ensure job pointer is set to NULL after job completion
    - i2c: mux: demux-pinctrl: check initial mux selection, too
    - mac802154: check local interfaces before deleting sdata list
    - hfs: Sanity check the root record
    - kheaders: Ignore silly-rename files
    - poll_wait: add mb() to fix theoretical race between waitqueue_active() and
      .poll()
    - nvmet: propagate npwg topology
    - net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
    - fs/proc: fix softlockup in __read_vmcore (part 2)
    - irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly
    - hrtimers: Handle CPU state correctly on hotplug
    - ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
    - scsi: sg: Fix slab-use-after-free read in sg_release()
    - net: fix data-races around sk->sk_forward_alloc
    - ASoC: wm8994: Add depends on MFD core
    - scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request
    - irqchip/sunxi-nmi: Add missing SKIP_WAKE flag
    - gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
    - m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal
    - m68k: Add missing mmap_read_lock() to sys_cacheflush()
    - signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die
    - net: xen-netback: hash.c: Use built-in RCU list checking
    - net/xen-netback: prevent UAF in xenvif_flush_hash()
    - vfio/platform: check the bounds of read/write syscalls
    - ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path
    - ext4: fix slab-use-after-free in ext4_split_extent_at()
    - USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
    - Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix
      the crash caused by port being null"
    - Input: atkbd - map F23 key to support default copilot shortcut
    - Input: xpad - add unofficial Xbox 360 wireless receiver clone
    - Input: xpad - add support for wooting two he (arm)
    - drm/v3d: Assign job pointer to NULL before signaling the fence
    - xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals
    - Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM
      conditionals
    - Linux 5.4.290

  * CVE-2021-47219
    - scsi: sc

  linux (5.4.0-208.228) focal; urgency=medium

  * CVE-2025-0927
    - SAUCE: fs: hfs/hfsplus: add key_len boundary check to hfs_bnode_read_key

  linux (5.4.0-207.227) focal; urgency=medium

  * focal/linux: 5.4.0-207.227 -proposed tracker (LP: #2095347)

  * Remove "ftrace: Fix possible use-after-free issue in ftrace_location()" bad
    commit from focal (LP: #2095348)
    - Revert "ftrace: Fix possible use-after-free issue in ftrace_location()"