Package "linux-image-unsigned-5.4.0-205-lowlatency"

  linux (5.4.0-196.216) focal; urgency=medium

  * focal/linux: 5.4.0-196.216 -proposed tracker (LP: #2078205)

  * CVE-2024-39494
    - ima: Fix use-after-free on a dentry's dname.name

  * CVE-2024-42160
    - f2fs: check validation of fault attrs in f2fs_build_fault_attr()
    - f2fs: Add inline to f2fs_build_fault_attr() stub

  * CVE-2024-38570
    - gfs2: Rename sd_{ glock => kill }_wait
    - gfs2: Fix potential glock use-after-free on unmount

  * CVE-2024-42228
    - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc

  * CVE-2022-48791
    - scsi: pm80xx: Fix TMF task completion race condition
    - scsi: pm8001: Fix use-after-free for aborted TMF sas_task

  * CVE-2024-26787
    - mmc: mmci_sdmmc: Rename sdmmc_priv struct to sdmmc_idma
    - mmc: mmci: stm32: use a buffer for unaligned DMA requests
    - mmc: mmci: stm32: fix DMA API overlapping mappings warning

  * CVE-2024-27012
    - netfilter: nf_tables: restore set elements when delete set fails

  * CVE-2022-48863
    - mISDN: Fix memory leak in dsp_pipeline_build()

  * CVE-2021-47188
    - scsi: ufs: core: Improve SCSI abort handling

  * CVE-2024-26677
    - rxrpc: Fix delayed ACKs to not set the reference serial number

 -- Manuel Diewald <email address hidden> Thu, 29 Aug 2024 14:06:16 +0200

  linux (5.4.0-195.215) focal; urgency=medium

  * focal/linux: 5.4.0-195.215 -proposed tracker (LP: #2075954)

  * Focal update: v5.4.280 upstream stable release (LP: #2075175)
    - Compiler Attributes: Add __uninitialized macro
    - drm/lima: fix shared irq handling on driver remove
    - media: dvb: as102-fe: Fix as10x_register_addr packing
    - media: dvb-usb: dib0700_devices: Add missing release_firmware()
    - IB/core: Implement a limit on UMAD receive List
    - scsi: qedf: Make qedf_execute_tmf() non-preemptible
    - drm/amdgpu: Initialize timestamp for some legacy SOCs
    - drm/amd/display: Skip finding free audio for unknown engine_id
    - media: dw2102: Don't translate i2c read into write
    - sctp: prefer struct_size over open coded arithmetic
    - firmware: dmi: Stop decoding on broken entry
    - Input: ff-core - prefer struct_size over open coded arithmetic
    - net: dsa: mv88e6xxx: Correct check for empty list
    - media: dvb-frontends: tda18271c2dd: Remove casting during div
    - media: s2255: Use refcount_t instead of atomic_t for num_channels
    - media: dvb-frontends: tda10048: Fix integer overflow
    - i2c: i801: Annotate apanel_addr as __ro_after_init
    - powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n
    - orangefs: fix out-of-bounds fsid access
    - powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"
    - jffs2: Fix potential illegal address access in jffs2_free_inode
    - s390/pkey: Wipe sensitive data on failure
    - tcp: tcp_mark_head_lost is only valid for sack-tcp
    - tcp: add ece_ack flag to reno sack functions
    - net: tcp better handling of reordering then loss cases
    - UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()
    - tcp_metrics: validate source addr length
    - wifi: wilc1000: fix ies_len type in connect path
    - bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
    - selftests: fix OOM in msg_zerocopy selftest
    - selftests: make order checking verbose in msg_zerocopy selftest
    - inet_diag: Initialize pad field in struct inet_diag_req_v2
    - nilfs2: fix inode number range checks
    - nilfs2: add missing check for inode numbers on directory entries
    - mm: optimize the redundant loop of mm_update_owner_next()
    - can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct
    - fsnotify: Do not generate events for O_PATH file descriptors
    - Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(),
      again"
    - drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes
    - drm/amdgpu/atomfirmware: silence UBSAN warning
    - media: dw2102: fix a potential buffer overflow
    - i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr
    - ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897
    - nvme-multipath: find NUMA path only for online numa-node
    - nilfs2: fix incorrect inode allocation from reserved inodes
    - filelock: fix potential use-after-free in posix_lock_inode
    - fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading
    - vfs: don't mod negative dentry count when on shrinker list
    - tcp: add TCP_INFO status for failed client TFO
    - tcp: fix incorrect undo caused by DSACK of TLP retransmit
    - octeontx2-af: Fix incorrect value output on error path in
      rvu_check_rsrc_availability()
    - net: lantiq_etop: add blank line after declaration
    - net: ethernet: lantiq_etop: fix double free in detach
    - ppp: reject claimed-as-LCP but actually malformed packets
    - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().
    - s390: Mark psw in __load_psw_mask() as __unitialized
    - ARM: davinci: Convert comma to semicolon
    - octeontx2-af: fix detection of IP layer
    - USB: serial: option: add Telit generic core-dump composition
    - USB: serial: option: add Telit FN912 rmnet compositions
    - USB: serial: option: add Fibocom FM350-GL
    - USB: serial: option: add support for Foxconn T99W651
    - USB: serial: option: add Netprisma LCUK54 series modules
    - USB: serial: option: add Rolling RW350-GL variants
    - USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k
    - usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()
    - USB: core: Fix duplicate endpoint bug by clearing reserved bits in the
      descriptor
    - hpet: Support 32-bit userspace
    - nvmem: meson-efuse: Fix return value of nvmem callbacks
    - ALSA: hda/realtek: Limit mic boost on VAIO PRO PX
    - libceph: fix race between delayed_work() and ceph_monc_stop()
    - SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
    - tcp: refactor tcp_retransmit_timer()
    - net: tcp: fix unexcepted socket die when snd_wnd is 0
    - tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()
    - tcp: avoid too many retransmit packets
    - nilfs2: fix kernel bug on rename operation of broken directory
    - i2c: rcar: bring hardware to known state when probing
    - Linux 5.4.280

  * [SRU] UBSAN warnings in bnx2x kernel driver (LP: #2074215) // Focal update:
    v5.4.280 upstream stable release (LP: #2075175)
    - bnx2x: Fix multiple UBSAN array-index-out-of-bounds

  * Focal update: v5.4.279 upstream stable release (LP: #2073621)
    - wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
    - wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
    - wifi: cfg80211: pmsr: use correct nla_get_uX functions
    - wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
    - wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs ifdef
    - wifi: iwlwifi: mvm: don't read past the mfuart notifcation
    - ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
    - net: sched: sch_multiq: fix possible OOB write in multiq_tune()
    - vxlan: Fix regression when dropping packets due to invalid src addresses
    - tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
 

  linux (5.4.0-193.213) focal; urgency=medium

  * focal/linux: 5.4.0-193.213 -proposed tracker (LP: #2075804)

  * CVE-2024-26921
    - skbuff: introduce skb_expand_head()
    - skb_expand_head() adjust skb->truesize incorrectly
    - inet: inet_defrag: prevent sk release while still in use

  * CVE-2024-26929
    - scsi: qla2xxx: Fix double free of fcport

  * CVE-2024-39484
    - mmc: davinci: Don't strip remove function when driver is builtin

  * CVE-2024-36901
    - ipv6: prevent NULL dereference in ip6_output()

  * CVE-2024-26830
    - i40e: Refactoring VF MAC filters counting to make more reliable
    - i40e: Fix MAC address setting for a VF via Host/VM
    - i40e: Do not allow untrusted VF to remove administratively set MAC

  * CVE-2024-24860
    - Bluetooth: Fix atomicity violation in {min, max}_key_size_set

  * CVE-2023-52760
    - gfs2: Fix slab-use-after-free in gfs2_qd_dealloc

  * CVE-2024-2201
    - [Config] Set SPECTRE_BHI_ON=y

  * CVE-2023-52629
    - sh: push-switch: Reorder cleanup operations to avoid use-after-free bug

  * CVE-2021-46926
    - ALSA: hda: intel-sdw-acpi: harden detection of controller

 -- Manuel Diewald <email address hidden> Fri, 02 Aug 2024 18:04:24 +0200

  linux (5.4.0-192.212) focal; urgency=medium

  * focal/linux: 5.4.0-192.212 -proposed tracker (LP: #2072305)

  * Focal update: v5.4.278 upstream stable release (LP: #2071668)
    - x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
    - speakup: Fix sizeof() vs ARRAY_SIZE() bug
    - ring-buffer: Fix a race between readers and resize checks
    - net: smc91x: Fix m68k kernel compilation for ColdFire CPU
    - nilfs2: fix unexpected freezing of nilfs_segctor_sync()
    - nilfs2: fix potential hang in nilfs_detach_log_writer()
    - wifi: cfg80211: fix the order of arguments for trace events of the tx_rx_evt
      class
    - net: usb: qmi_wwan: add Telit FN920C04 compositions
    - drm/amd/display: Set color_mgmt_changed to true on unsuspend
    - ASoC: rt5645: Fix the electric noise due to the CBJ contacts floating
    - ASoC: dt-bindings: rt5645: add cbj sleeve gpio property
    - ASoC: da7219-aad: fix usage of device_get_named_child_node()
    - drm/amdkfd: Flush the process wq before creating a kfd_process
    - nvme: find numa distance only if controller has valid numa id
    - openpromfs: finish conversion to the new mount API
    - crypto: bcm - Fix pointer arithmetic
    - firmware: raspberrypi: Use correct device for DMA mappings
    - ecryptfs: Fix buffer size for tag 66 packet
    - nilfs2: fix out-of-range warning
    - parisc: add missing export of __cmpxchg_u8()
    - crypto: ccp - drop platform ifdef checks
    - s390/cio: fix tracepoint subchannel type field
    - jffs2: prevent xattr node from overflowing the eraseblock
    - null_blk: Fix missing mutex_destroy() at module removal
    - md: fix resync softlockup when bitmap size is less than array size
    - wifi: ath10k: poll service ready message before failing
    - x86/boot: Ignore relocations in .notes sections in walk_relocs() too
    - qed: avoid truncating work queue length
    - scsi: ufs: qcom: Perform read back after writing reset bit
    - scsi: ufs: cdns-pltfrm: Perform read back after writing HCLKDIV
    - scsi: ufs: core: Perform read back after disabling interrupts
    - scsi: ufs: core: Perform read back after disabling UIC_COMMAND_COMPL
    - irqchip/alpine-msi: Fix off-by-one in allocation error path
    - ACPI: disable -Wstringop-truncation
    - cpufreq: Reorganize checks in cpufreq_offline()
    - cpufreq: Split cpufreq_offline()
    - cpufreq: Rearrange locking in cpufreq_remove_dev()
    - cpufreq: exit() callback is optional
    - scsi: libsas: Fix the failure of adding phy with zero-address to port
    - scsi: hpsa: Fix allocation size for Scsi_Host private data
    - x86/purgatory: Switch to the position-independent small code model
    - wifi: ath10k: Fix an error code problem in
      ath10k_dbg_sta_write_peer_debug_trigger()
    - wifi: ath10k: populate board data for WCN3990
    - tcp: minor optimization in tcp_add_backlog()
    - tcp: fix a signed-integer-overflow bug in tcp_add_backlog()
    - tcp: avoid premature drops in tcp_add_backlog()
    - macintosh/via-macii: Fix "BUG: sleeping function called from invalid
      context"
    - wifi: carl9170: add a proper sanity check for endpoints
    - wifi: ar5523: enable proper endpoint verification
    - sh: kprobes: Merge arch_copy_kprobe() into arch_prepare_kprobe()
    - Revert "sh: Handle calling csum_partial with misaligned data"
    - HID: intel-ish-hid: ipc: Add check for pci_alloc_irq_vectors
    - scsi: bfa: Ensure the copied buf is NUL terminated
    - scsi: qedf: Ensure the copied buf is NUL terminated
    - wifi: mwl8k: initialize cmd->addr[] properly
    - usb: aqc111: stop lying about skb->truesize
    - net: usb: sr9700: stop lying about skb->truesize
    - m68k: Fix spinlock race in kernel thread creation
    - m68k: mac: Fix reboot hang on Mac IIci
    - net: ethernet: cortina: Locking fixes
    - af_unix: Fix data races in unix_release_sock/unix_stream_sendmsg
    - net: usb: smsc95xx: stop lying about skb->truesize
    - net: openvswitch: fix overwriting ct original tuple for ICMPv6
    - ipv6: sr: add missing seg6_local_exit
    - ipv6: sr: fix incorrect unregister order
    - ipv6: sr: fix invalid unregister error path
    - drm/amd/display: Fix potential index out of bounds in color transformation
      function
    - mtd: rawnand: hynix: fixed typo
    - fbdev: shmobile: fix snprintf truncation
    - drm/mediatek: Add 0 size check to mtk_drm_gem_obj
    - powerpc/fsl-soc: hide unused const variable
    - fbdev: sisfb: hide unused variables
    - media: ngene: Add dvb_ca_en50221_init return value check
    - media: radio-shark2: Avoid led_names truncations
    - platform/x86: wmi: Make two functions static
    - fbdev: sh7760fb: allow modular build
    - drm/arm/malidp: fix a possible null pointer dereference
    - ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
    - drm/panel: simple: Add missing Innolux G121X1-L03 format, flags, connector
    - RDMA/hns: Use complete parentheses in macros
    - x86/insn: Fix PUSH instruction in x86 instruction decoder opcode map
    - ext4: avoid excessive credit estimate in ext4_tmpfile()
    - sunrpc: removed redundant procp check
    - SUNRPC: Fix gss_free_in_token_pages()
    - selftests/kcmp: Make the test output consistent and clear
    - selftests/kcmp: remove unused open mode
    - RDMA/IPoIB: Fix format truncation compilation errors
    - netrom: fix possible dead-lock in nr_rt_ioctl()
    - af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
    - sched/topology: Don't set SD_BALANCE_WAKE on cpuset domain relax
    - sched/fair: Allow disabling sched_balance_newidle with
      sched_relax_domain_level
    - greybus: lights: check return of get_channel_from_mode
    - soundwire: cadence/intel: simplify PDI/port mapping
    - soundwire: intel: don't filter out PDI0/1
    - soundwire: cadence_master: improve PDI allocation
    - soundwire: cadence: fix invalid PDI offset
    - dmaengine: idma64: Add check for dma_set_max_s

  linux (5.4.0-190.210) focal; urgency=medium

  * focal/linux: 5.4.0-190.210 -proposed tracker (LP: #2072108)

  * CVE-2024-36016
    - tty: n_gsm: fix possible out-of-bounds in gsm0_receive()

  * CVE-2022-48655
    - firmware: arm_scmi: Harden accesses to the reset domains

  * CVE-2024-26907
    - RDMA/mlx5: Fix fortify source warning while accessing Eth segment

  * CVE-2024-26585
    - tls: fix race between tx work scheduling and socket close

  * CVE-2024-26584
    - net: tls: handle backlogging of crypto requests

  * CVE-2024-26583
    - net/tls: Replace TLS_RX_SYNC_RUNNING with RCU
    - net/tls: Fix use-after-free after the TLS device goes down and up
    - tls: splice_read: fix record type check
    - tls splice: remove inappropriate flags checking for MSG_PEEK
    - tls: splice_read: fix accessing pre-processed records
    - tls: Fix context leak on tls_device_down
    - net/tls: Check for errors in tls_device_init
    - net/tls: Remove the context from the list in tls_device_down
    - net/tls: pass context to tls_device_decrypted()
    - net/tls: Perform immediate device ctx cleanup when possible
    - net/tls: Multi-threaded calls to TX tls_dev_del
    - net: tls: avoid discarding data on record close
    - tls: rx: don't store the record type in socket context
    - tls: rx: don't store the decryption status in socket context
    - tls: rx: don't issue wake ups when data is decrypted
    - tls: rx: refactor decrypt_skb_update()
    - tls: hw: rx: use return value of tls_device_decrypted() to carry status
    - tls: rx: drop unnecessary arguments from tls_setup_from_iter()
    - tls: rx: don't report text length from the bowels of decrypt
    - tls: rx: wrap decryption arguments in a structure
    - tls: rx: factor out writing ContentType to cmsg
    - tls: rx: don't track the async count
    - tls: rx: assume crypto always calls our callback
    - tls: rx: use async as an in-out argument
    - tls: decrement decrypt_pending if no async completion will be called
    - net: tls: fix async vs NIC crypto offload
    - tls: rx: simplify async wait
    - tls: extract context alloc/initialization out of tls_set_sw_offload
    - net: tls: factor out tls_*crypt_async_wait()
    - tls: fix race between async notify and socket close

 -- Manuel Diewald <email address hidden> Fri, 05 Jul 2024 17:04:36 +0200