[PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.
The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance. Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name af_802154-Disable-auto-loading-as-mitigation-against.patch
Tweak gitignore for Debian pkg-kernel using git svn.
Forwarded: not-needed
[bwh: Tweak further for pure git]
Gbp-Pq: Topic debian
Gbp-Pq: Name gitignore.patch
linux (5.10.226-1) bullseye-security; urgency=high
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.224
- [amd64] EDAC/skx_common: Add new ADXL components for 2-level memory
- [amd64] EDAC, i10nm: make skx_common.o a separate module
- [arm64] platform/chrome: cros_ec_debugfs: fix wrong EC message version
- hfsplus: fix to avoid false alarm of circular locking
- [i386] of: Return consistent error type from x86_of_pci_irq_enable()
- [x86] pci/xen: Fix PCIBIOS_* return code handling
- [x86] platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos
- hwmon: (adt7475) Fix default duty on fan is disabled
- [arm64] dts: qcom: msm8996: specify UFS core_clk frequencies
- [arm*] soc: qcom: pdr: protect locator_addr with the main mutex
(CVE-2024-43849)
- [arm64] dts: rockchip: Increase VOP clk rate on RK3328
- [arm64] dts: amlogic: gx: correct hdmi clocks
- [arm64] firmware: turris-mox-rwtm: Fix checking return value of
wait_for_completion_timeout()
- [arm64] firmware: turris-mox-rwtm: Initialize completion before mailbox
- wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device
- net: esp: cleanup esp_output_tail_tcp() in case of unsupported ESPINTCP
- net/smc: Allow SMC-D 1MB DMB allocations
- net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when
CONFIG_ARCH_NO_SG_CHAIN is defined
- lib: objagg: Fix general protection fault (CVE-2024-43846)
- mlxsw: spectrum_acl_erp: Fix object nesting warning (CVE-2024-43880)
- ath11k: dp: stop rx pktlog before suspend
- wifi: ath11k: fix wrong handling of CCMP256 and GCMP ciphers
- wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()
- wifi: cfg80211: handle 2x996 RU allocation in
cfg80211_calculate_bitrate_he() (CVE-2024-43879)
- [arm*] net: fec: Refactor: #define magic constants
- [arm*] net: fec: Fix FEC_ECR_EN1588 being cleared on link-down
- ipvs: Avoid unnecessary calls to skb_is_gso_sctp
- netfilter: nf_tables: rise cap on SELinux secmark context
- [x86] perf/x86/intel/pt: Fix pt_topa_entry_for_page() address calculation
- perf: Fix perf_aux_size() for greater-than 32-bit size
- perf: Prevent passing zero nr_pages to rb_alloc_aux()
- qed: Improve the stack space of filter_config()
- wifi: virt_wifi: avoid reporting connection success with wrong SSID
(CVE-2024-43841)
- gss_krb5: Fix the error handling path for crypto_sync_skcipher_setkey
- bna: adjust 'name' buf size of bna_tcb and bna_ccb structures
(CVE-2024-43839)
- xdp: fix invalid wait context of page_pool_destroy() (CVE-2024-43834)
- media: imon: Fix race getting ictx->lock
- saa7134: Unchecked i2c_transfer function result fixed
- media: uvcvideo: Allow entity-defined get_info and get_cur
- media: uvcvideo: Override default flags
- leds: trigger: Unregister sysfs attributes before calling deactivate()
(CVE-2024-43830)
- perf report: Fix condition in sort__sym_cmp()
- [armhf] drm/etnaviv: fix DMA direction handling for cached RW buffers
- drm/qxl: Add check for drm_cvt_mode (CVE-2024-43829)
- Revert "leds: led-core: Fix refcount leak in of_led_get()"
(regression in 5.10.173)
- ext4: fix infinite loop when replaying fast_commit (CVE-2024-43828)
- [arm64] media: venus: flush all buffers in output plane streamoff
- [armhf] mfd: omap-usb-tll: Use struct_size to allocate tll
- xprtrdma: Rename frwr_release_mr()
- xprtrdma: Fix rpcrdma_reqs_reset()
- SUNRPC: avoid soft lockup when transmitting UDP to reachable server.
- ext4: avoid writing unitialized memory to disk in EA inodes
- SUNRPC: Fixup gss_status tracepoint error output
- PCI: Fix resource double counting on remove & rescan
- RDMA/mlx4: Fix truncated output warning in mad.c
- RDMA/mlx4: Fix truncated output warning in alias_GUID.c
- RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs
- RDMA/device: Return error earlier if port in not valid
- Input: elan_i2c - do not leave interrupt disabled on suspend failure
- [arm64] RDMA/hns: Fix missing pagesize and alignment check in FRMR
- netfilter: ctnetlink: use helper function to calculate expect ID
(CVE-2024-44944)
- [arm*] net: dsa: mv88e6xxx: Limit chip-wide frame size config to CPU
ports
- [armhf] net: dsa: b53: Limit chip-wide jumbo frame config to CPU ports
- [arm*] pinctrl: rockchip: update rk3308 iomux routes
- pinctrl: core: fix possible memory leak when pinctrl_enable() fails
- pinctrl: single: fix possible memory leak when pinctrl_enable() fails
- [armhf] pinctrl: ti: ti-iodelay: Drop if block with always false
condition
- [armhf] pinctrl: ti: ti-iodelay: fix possible memory leak when
pinctrl_enable() fails
- fs/proc/task_mmu: indicate PM_FILE for PMD-mapped file THP
- nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro
- rtc: interface: Add RTC offset to alarm after fix-up
- tick/broadcast: Make takeover of broadcast hrtimer reliable
- net: netconsole: Disable target before netpoll cleanup
- af_packet: Handle outgoing VLAN packets without hardware offloading
- ipv6: take care of scope when choosing the src addr
- sched/fair: set_load_weight() must also call reweight_task() for
SCHED_IDLE tasks
- char: tpm: Fix possible memory leak in tpm_bios_measurements_open()
- [arm64] media: venus: fix use after free in vdec_close (CVE-2024-42313)
- hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()
(CVE-2024-42311)
- ext2: Verify bitmap and itable block numbers before using them
- [x86] drm/gma500: fix null pointer dereference in
cdv_intel_lvds_get_modes (CVE-2024-42310)
- [x86] drm/gma500: fix null pointer dereference in
psb_intel_lvds_get_modes (CVE-2024-42309)
- scsi: qla2xxx: Fix optrom version displayed in FDMI
- drm/amd/display: Check for NULL pointer (CVE-2024-42308)
- sched/fair: Use all little CPUs for CPU-bound workloads
- apparmor: use kvfree_sensitive to free data->data
- task_work: s/task_work_cancel()/task_work_cancel_func()/
- task_work: Introduce task_work_cancel() again
- udf: Avoid using corrupted block bitmap buffer (CVE-2024-42306)
- ext4: check dot and dotdot of dx_root before making dir indexed
(CVE-2024-42305)
- ext4: make sure the first directory block is not a hole (CVE-2024-42304)
- wifi: mwifiex: Fix interface type change
- [x86] leds: ss4200: Convert PCIBIOS_* return codes to errnos
- jbd2: make jbd2_journal_get_max_txn_bufs() internal
- [x86] KVM: VMX: Split out the non-virtualization part of
vmx_interrupt_blocked()
- [x86] hwrng: amd - Convert PCIBIOS_* return codes to errnos
- [amd64] PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN
- [arm64] PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio
- binder: fix hang of unregistered readers
- dev/parport: fix the array out-of-bounds risk (CVE-2024-42301)
- scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds
- f2fs: fix to don't dirty inode for readonly filesystem (CVE-2024-42297)
- ubi: eba: properly rollback inside self_check_eba
- decompress_bunzip2: fix rare decompression failure
- kobject_uevent: Fix OOB access within zap_modalias_env() (CVE-2024-42292)
- devres: Fix devm_krealloc() wasting memory
- rtc: cmos: Fix return value of nvmem callbacks
- scsi: qla2xxx: During vport delete send async logout explicitly
(CVE-2024-42289)
- scsi: qla2xxx: Fix for possible memory corruption (CVE-2024-42288)
- scsi: qla2xxx: Fix flash read failure
- scsi: qla2xxx: Complete command early within lock (CVE-2024-42287)
- scsi: qla2xxx: validate nvme_local_port correctly (CVE-2024-42286)
- [x86] perf/x86/intel/pt: Fix topa_entry base length
- [x86] perf/x86/intel/pt: Fix a topa_entry base address calculation
- [x86] watchdog/perf: properly initialize the turbo mode timestamp and
rearm counter
- RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
(CVE-2024-42285)
- rbd: don't assume rbd_is_lock_owner() for exclusive mappings
- [arm*] drm/panfrost: Mark simple_ondemand governor as softdep
- rbd: rename RBD_LOCK_STATE_RELEASING and releasing_wait
- rbd: don't assume RBD_LOCK_STATE_LOCKED for exclusive mappings
- Bluetooth: btusb: Add RTL8852BE device 0489:e125 to device tables
- Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x13d3:0x3591
- nilfs2: handle inconsistent state in nilfs_btnode_create_block()
(CVE-2024-42295)
- io_uring/io-wq: limit retrying worker initialisation
- kernel: rerun task_work while freezing in get_signal()
- jfs: Fix array-index-out-of-bounds in diFree (CVE-2024-43858)
- f2fs: fix start segno of large section
- dma: fix call order in dmam_free_coherent (CVE-2024-43856)
- ipv4: Fix incorrect source address in Record Route option
- net: bonding: correctly annotate RCU in bond_should_notify_peers()
- [amd64] netfilter: nft_set_pipapo_avx2: disable softinterrupts
- tipc: Return non-zero value from tipc_udp_addr2str() on error
(CVE-2024-42284)
- net: stmmac: Correct byte order of perfect_match
- net: nexthop: Initialize all fields in dumped nexthops (CVE-2024-42283)
- bpf: Fix a segment issue when downgrading gso_size (CVE-2024-42281)
- [x86] mISDN: Fix a use after free in hfcmulti_tx() (CVE-2024-42280)
- apparmor: Fix null pointer deref when receiving skb during sock creation
(CVE-2023-52889)
- lirc: rc_dev_get_from_fd(): fix file leak
- ceph: fix incorrect kmalloc size of pagevec mempool
- nvme: split command copy into a helper
- nvme-pci: add missing condition check for existence of mapped data
(CVE-2024-42276)
- fs: don't allow non-init s_user_ns for filesystems without
FS_USERNS_MOUNT
- fuse: verify {g,u}id mount options correctly
- sysctl: always initialize i_uid/i_gid (CVE-2024-42312)
- ext4: factor out a common helper to query extent map
- ext4: check the extent status again before inserting delalloc block
- [arm64] soc: xilinx: move PM_INIT_FINALIZE to zynqmp_pm_domains driver
- [arm64] drivers: soc: xilinx: check return status of get_api_version()
- devres: Fix memory leakage caused by driver API devm_free_percpu()
(CVE-2024-43871)
- genirq: Allow the PM device to originate from irq domain
- [arm*] irqchip/imx-irqsteer: Constify irq_chip struct
- [arm*] irqchip/imx-irqsteer: Add runtime PM support
- [arm*] irqchip/imx-irqsteer: Handle runtime power management correctly
(CVE-2024-42290)
- remoteproc: imx_rproc: ignore mapping vdev regions (CVE-2024-43860)
- drm/nouveau: prime: fix refcount underflow (CVE-2024-43867)
- [x86] drm/vmwgfx: Fix overlay when using Screen Targets
- sched: act_ct: take care of padding in struct zones_ht_key
(CVE-2024-42272)
- net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
- ipv6: fix ndisc_is_useropt() handling for PIO
- [arm*] platform/chrome: cros_ec_proto: Lock device when updating MKBP
version
- HID: wacom: Modify pen IDs
- protect the fetch of ->fd[fd] in do_dup2() from mispredictions
(CVE-2024-42265)
- ALSA: usb-audio: Correct surround channels in UAC1 channel map
- [x86] ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G
- net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
- r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY
- genirq: Allow irq_chip registration functions to take a const irq_chip
- [arm64] irqchip/mbigen: Fix mbigen node address layout
- [i386] mm: Fix pti_clone_pgtable() alignment assumption (CVE-2024-44965)
- [i386] mm: Fix pti_clone_entry_text() for i386
- sctp: move hlist_node and hashent out of sctp_ep_common
- sctp: Fix null-ptr-deref in reuseport_add_sock(). (CVE-2024-44935)
- net: usb: qmi_wwan: fix memory leak for not ip packets (CVE-2024-43861)
- net: linkwatch: use system_unbound_wq
- Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
- [armhf] net: dsa: bcm_sf2: Fix a possible memory leak in
bcm_sf2_mdio_register() (CVE-2024-44971)
- l2tp: fix lockdep splat
- [arm*] net: fec: Stop PPS on driver remove
- md: do not delete safemode_timer in mddev_suspend
- md/raid5: avoid BUG_ON() while continue reshape after reassembling
(CVE-2024-43914)
- ACPI: battery: create alarm sysfs attribute atomically
- [x86] ACPI: SBS: manage alarm sysfs attribute through psy core
- udf: prevent integer overflow in udf_bitmap_free_blocks()
- wifi: nl80211: don't give key data to userspace
- btrfs: fix bitmap leak when loading free space cache on duplicate entry
- drm/amdgpu: Fix the null pointer dereference to ras_manager
(CVE-2024-43908)
- drm/amdgpu/pm: Fix the null pointer dereference in
apply_state_adjust_rules (CVE-2024-43907)
- media: uvcvideo: Ignore empty TS packets
- media: uvcvideo: Fix the bandwdith quirk on USB 3.x
- jbd2: avoid memleak in jbd2_journal_write_metadata_buffer
- SUNRPC: Fix a race to wake a sync task
- sched/cputime: Fix mul_u64_u64_div_u64() precision for cputime
- ext4: fix wrong unit use in ext4_mb_find_by_goal
- [arm64] cpufeature: Force HWCAP to be based on the sysreg visible to
user-space
- [arm64] Add Neoverse-V2 part
- [arm64] cputype: Add Cortex-X4 definitions
- [arm64] cputype: Add Neoverse-V3 definitions
- [arm64] errata: Add workaround for Arm errata
3194386 and
3312417
- [arm64] cputype: Add Cortex-X3 definitions
- [arm64] cputype: Add Cortex-A720 definitions
- [arm64] cputype: Add Cortex-X925 definitions
- [arm64] errata: Unify speculative SSBS errata logic
- [arm64] errata: Expand speculative SSBS workaround
- [arm64] cputype: Add Cortex-X1C definitions
- [arm64] cputype: Add Cortex-A725 definitions
- [arm64] errata: Expand speculative SSBS workaround (again)
- i2c: smbus: Improve handling of stuck alerts
- i2c: smbus: Send alert notifications to all devices if source not found
- kprobes: Fix to check symbol prefixes correctly
- ALSA: usb-audio: Re-add ScratchAmp quirk entries
- drm/client: fix null pointer dereference in drm_client_modeset_probe
(CVE-2024-43894)
- ALSA: line6: Fix racy access to midibuf (CVE-2024-44954)
- [x86] ALSA: hda: Add HP MP9 G4 Retail System AMS to force connect list
- [x86] ALSA: hda/hdmi: Yet more pin fix for HP EliteDesk 800 G4
- usb: vhci-hcd: Do not drop references before new references are gained
(CVE-2024-43883)
- USB: serial: debug: do not echo input by default
- usb: gadget: core: Check for unset descriptor (CVE-2024-44960)
- usb: gadget: u_serial: Set start_delayed during suspend
- scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic
- tick/broadcast: Move per CPU pointer access into the atomic section
(CVE-2024-44968)
- ntp: Clamp maxerror and esterror to operating range
- driver core: Fix uevent_show() vs driver detach race (CVE-2024-44952)
- ntp: Safeguard against time_constant overflow
- scsi: mpt3sas: Remove scsi_dma_map() error messages
- scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES
- [arm*] irqchip/meson-gpio: support more than 8 channels gpio irq
- [arm*] irqchip/meson-gpio: Convert meson_gpio_irq_controller::lock to
'raw_spinlock_t'
- serial: core: check uartclk for zero to avoid divide by zero
(CVE-2024-43893)
- genirq/irqdesc: Honor caller provided affinity in alloc_desc()
- padata: Fix possible divide-by-0 panic in padata_mt_helper()
(CVE-2024-43889)
- tracing: Fix overflow in get_free_elt() (CVE-2024-43890)
- [x86] mtrr: Check if fixed MTRRs exist before saving them
(CVE-2024-44948)
- [arm*] drm/bridge: analogix_dp: properly handle zero sized AUX
transactions
- [x86] drm/mgag200: Set DDC timeout in milliseconds
- PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
(CVE-2024-42302)
- netfilter: nf_tables: set element extended ACK reporting support
- netfilter: nf_tables: use timestamp to check for set element timeout
(CVE-2024-27397)
- netfilter: nf_tables: allow clone callbacks to sleep
- netfilter: nf_tables: prefer nft_chain_validate (CVE-2024-41042)
- [x86] drm/i915/gem: Fix Virtual Memory mapping boundaries calculation
(CVE-2024-42259)
- [arm64] cpufeature: Fix the visibility of compat hwcaps
- media: uvcvideo: Use entity get_cur in uvc_ctrl_set
- exec: Fix ToCToU between perm check and set-uid/gid usage
(CVE-2024-43882)
- [x86] nvme/pci: Add APST quirk for Lenovo N60z laptop
- wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values (CVE-2024-42114)
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.225
- fuse: Initialize beyond-EOF page contents before setting uptodate
(CVE-2024-44947)
- ALSA: usb-audio: Support Yamaha P-125 quirk entry
- [x86] xhci: Fix Panther point NULL pointer deref at full-speed re-
enumeration (CVE-2024-45006)
- [x86] thunderbolt: Mark XDomain as unplugged when router is removed
(CVE-2024-46702)
- [arm64] ACPI: NUMA: initialize all values of acpi_early_node_map to
NUMA_NO_NODE
- dm resume: don't return EINVAL when signalled
- dm persistent data: fix memory allocation failure
- vfs: Don't evict inode under the inode lru traversing context
(CVE-2024-45003)
- bitmap: introduce generic optimized bitmap_size()
- fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE
(CVE-2024-45025)
- selinux: fix potential counting error in avc_add_xperms_decision()
- btrfs: tree-checker: add dev extent item checks
- drm/amdgpu: Actually check flags for all context ops.
- memcg_write_event_control(): fix a user-triggerable oops (CVE-2024-45021)
- drm/amdgpu/jpeg2: properly set atomics vmid field
- btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits()
- net/mlx5e: Correctly report errors for ethtool rx flows
- [x86] atm: idt77252: prevent use after free in dequeue_rx()
(CVE-2024-44998)
- netfilter: flowtable: initialise extack before use (CVE-2024-45018)
- [arm64] net: hns3: fix wrong use of semaphore up
- [arm64] net: hns3: fix a deadlock problem when config TC during resetting
(CVE-2024-44995)
- ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7
- ssb: Fix division by zero issue in ssb_calc_clock_rate
- wifi: mac80211: fix BA session teardown race
- [i386] media: radio-isa: use dev_name to fill in bus_info
- binfmt_misc: cleanup on filesystem umount
- [arm64] media: qcom: venus: fix incorrect return value
- scsi: spi: Fix sshdr use
- gfs2: setattr_chown: Add missing initialization
- wifi: iwlwifi: abort scan when rfkill on but device enabled
- [amd64] IB/hfi1: Fix potential deadlock on &irq_src_lock and
&dd->uctxt_lock
- nvmet-trace: avoid dereferencing pointer too early
- ext4: do not trim the group with corrupted block bitmap
- quota: Remove BUG_ON from dqget()
- media: pci: cx23885: check cx23885_vdev_init() return
- scsi: lpfc: Initialize status local variable in
lpfc_sli4_repost_sgl_list()
- [arm*] drm/lima: set gp bus_stop bit before hard reset
- virtiofs: forbid newlines in tags
- netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
- md: clean up invalid BUG_ON in md_ioctl
- [x86] Increase brk randomness entropy for 64-bit systems
- btrfs: change BUG_ON to assertion when checking for delayed_node root
- btrfs: handle invalid root reference found in may_destroy_subvol()
- btrfs: send: handle unexpected data in header buffer in begin_cmd()
- btrfs: delete pointless BUG_ON check on quota root in
btrfs_qgroup_account_extent()
- f2fs: fix to do sanity check in update_sit_entry
- usb: gadget: fsl: Increase size of name buffer for endpoints
- Bluetooth: bnep: Fix out-of-bound access
- [arm64] net: hns3: add checking for vf id of mailbox
- nvmet-tcp: do not continue for invalid icreq
- NFS: avoid infinite loop in pnfs_update_layout.
- [arm*] usb: dwc3: core: Skip setting event buffers for host only
controllers
- usb: dwc3: st: fix probed platform device ref count on probe error path
(CVE-2024-46674)
- [arm*] irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
- ext4: set the type of max_zeroout to unsigned int to avoid overflow
- nvmet-rdma: fix possible bad dereference when freeing rsps
- hrtimer: Prevent queuing of hrtimer without a function callback
- gtp: pull network headers in gtp_dev_xmit() (CVE-2024-44999)
- block: use "unsigned long" for blk_validate_block_size().
- media: solo6x10: replace max(a, min(b, c)) by clamp(b, a, c)
- dm suspend: return -ERESTARTSYS instead of -EINTR
- Bluetooth: hci_core: Fix LE quote calculation
- Bluetooth: SMP: Fix assumption of Central always being Initiator
- kcm: Serialise kcm_sendmsg() for the same socket. (CVE-2024-44946)
- netfilter: nft_counter: Synchronize nft_counter_reset() against reader.
- ip6_tunnel: Fix broken GRO
- bonding: fix bond_ipsec_offload_ok return type
- bonding: fix null pointer deref in bond_ipsec_offload_ok (CVE-2024-44990)
- bonding: fix xfrm real_dev null pointer dereference (CVE-2024-44989)
- bonding: fix xfrm state handling when clearing active slave
- ice: fix ICE_LAST_OFFSET formula
- [arm*] net: dsa: mv88e6xxx: read FID when handling ATU violations
- [arm*] net: dsa: mv88e6xxx: replace ATU violation prints with trace
points
- [arm*] net: dsa: mv88e6xxx: Fix out-of-bound access (CVE-2024-44988)
- netem: fix return value if duplicate enqueue fails (CVE-2024-45016)
- ipv6: prevent UAF in ip6_send_skb() (CVE-2024-44987)
- [arm64] drm/msm/dpu: don't play tricks with debug macros
- [arm64] drm/msm/dp: reset the link phy params before link training
- mmc: mmc_test: Fix NULL dereference on allocation failure
(CVE-2024-45028)
- Bluetooth: MGMT: Add error handling to pair_device() (CVE-2024-43884)
- binfmt_misc: pass binfmt_misc flags to the interpreter
- HID: wacom: Defer calculation of resolution until resolution_code is
known
- HID: microsoft: Add rumble support to latest xbox controllers
- cxgb4: add forgotten u64 ivlan cast before shift
- [arm64] KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
(CVE-2024-46707)
- [arm*] mmc: dw_mmc: allow biu and ciu clocks to defer
- ALSA: timer: Relax start tick time check for slave timer elements
- nfsd: Don't call freezable_schedule_timeout() after each successful page
allocation in svc_alloc_arg().
- Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO
(CVE-2023-31083)
- Input: MT - limit max slots (CVE-2024-45008)
- drm/amdgpu: Using uninitialized value *size when calling
amdgpu_vce_cs_reloc (CVE-2024-42228)
- [arm64] KVM: arm64: Don't use cbz/adr with external symbols
- [arm64] pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B
pins
- [arm*] pinctrl: single: fix potential NULL dereference in
pcs_get_function() (CVE-2024-46685)
- wifi: mwifiex: duplicate static structs used in driver instances
- ipc: replace costly bailout check in sysvipc_find_ipc() (CVE-2021-3669)
- [amd64] drm/amdkfd: don't allow mapping the MMIO HDP page with large
pages (CVE-2024-41011)
- media: uvcvideo: Fix integer overflow calculating timestamp
- ata: libata-core: Fix null pointer dereference on error (CVE-2024-41098)
- cgroup/cpuset: Prevent UAF in proc_cpuset_show() (CVE-2024-43853)
- net:rds: Fix possible deadlock in rds_message_put
- ovl: do not fail because of O_NOATIME
- soundwire: stream: fix programming slave ports for non-continous port
maps
- [x86] dmaengine: dw: Add peripheral bus width verification
- [x86] dmaengine: dw: Add memory bus width verification
- ethtool: check device is present when getting link settings
(CVE-2024-46679)
- gtp: fix a potential NULL pointer dereference (CVE-2024-46677)
- net: busy-poll: use ktime_get_ns() instead of local_clock()
- nfc: pn533: Add poll mod list filling check (CVE-2024-46676)
- [arm64] soc: qcom: cmd-db: Map shared memory as WC, not WB
(CVE-2024-46689)
- cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller
- USB: serial: option: add MeiG Smart SRM825L
- [armhf] usb: dwc3: omap: add missing depopulate in probe error path
- [arm*] usb: dwc3: core: Prevent USB core invalid event buffer address
access (CVE-2024-46675)
- usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in
remove_power_attributes()
- scsi: aacraid: Fix double-free on probe failure (CVE-2024-46673)
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.226
- [x86] drm: panel-orientation-quirks: Add quirk for OrangePi Neo
- ALSA: hda/conexant: Mute speakers at suspend / shutdown
- net: usb: qmi_wwan: add MeiG Smart SRM825L
- drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
- drm/amdgpu: fix overflowed array index read warning
- drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr
- drm/amd/pm: fix warning using uninitialized value of max_vid_step
- drm/amd/pm: fix the Out-of-bounds read warning (CVE-2024-46731)
- drm/amdgpu: fix uninitialized scalar variable warning
- drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr
(CVE-2024-43905)
- drm/amdgpu: avoid reading vf2pf info size from FB
- drm/amd/display: Check gpio_id before used as array index
(CVE-2024-46818)
- drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than
6 (CVE-2024-46817)
- drm/amd/display: Add array index check for hdcp ddc access
(CVE-2024-46804)
- drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[]
(CVE-2024-46815)
- drm/amd/display: Check msg_id before processing transcation
(CVE-2024-46814)
- drm/amd/display: Fix Coverity INTEGER_OVERFLOW within
dal_gpio_service_create
- drm/amdgpu/pm: Fix uninitialized variable agc_btc_response
- drm/amdgpu: Fix out-of-bounds write warning (CVE-2024-46725)
- drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
(CVE-2024-46724)
- drm/amdgpu: fix ucode out-of-bounds read warning (CVE-2024-46723)
- drm/amdgpu: fix mc_data out-of-bounds read warning (CVE-2024-46722)
- [amd64] drm/amdkfd: Reconcile the definition and use of oem_id in struct
kfd_topology_device
- apparmor: fix possible NULL pointer dereference (CVE-2024-46721)
- drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on
legacy SOCs
- drm/amdgpu: the warning dereferencing obj for nbio_v7_4 (CVE-2024-46819)
- drm/amd/pm: check negtive return for table entries
- wifi: iwlwifi: remove fw_running op
- [arm64] PCI: al: Check IORESOURCE_BUS existence during probe
- hwspinlock: Introduce hwspin_lock_bust()
- usbip: Don't submit special requests twice
- usb: typec: ucsi: Fix null pointer dereference in trace (CVE-2024-46719)
- fsnotify: clear PARENT_WATCHED flags lazily
- [arm64] drm/meson: plane: Add error handling
- wifi: cfg80211: make hash table duplicates more survivable
- block: remove the blk_flush_integrity call in blk_integrity_unregister
- drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
(CVE-2024-46714)
- media: uvcvideo: Enforce alignment of frame and interval
- block: initialize integrity buffer to zero before writing it to media
(CVE-2024-43854)
- drm/amd/pm: Fix the null pointer dereference for vega10_hwmgr
- bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode
- net: set SOCK_RCU_FREE before inserting socket into hashtable
- virtio_net: Fix napi_skb_cache_put warning (CVE-2024-43835)
- rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow
(CVE-2024-38577)
- udf: Limit file size to 4TB
- ext4: handle redirtying in ext4_bio_write_page()
- bpf, cgroup: Assign cgroup in cgroup_sk_alloc when called from interrupt
- sch/netem: fix use after free in netem_dequeue (CVE-2024-46800)
- ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object (CVE-2024-46798)
- [x86] ALSA: hda/conexant: Add pincfg quirk to enable top speakers on
Sirius devices
- [x86] ALSA: hda/realtek: add patch for internal mic in Lenovo V145
- [x86] ALSA: hda/realtek: Support mute LED on HP Laptop 14-dq2xxx
- ata: libata: Fix memory leak for error path in ata_host_alloc()
- [arm*] irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
- Revert "Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/
LE" (regresion in 5.10.206)
- Bluetooth: MGMT: Ignore keys being loaded with invalid type
- [arm*] mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
- [armhf] mmc: sdhci-of-aspeed: fix module autoloading
- fuse: update stats for pages in dropped aux writeback list
- fuse: use unsigned type for getxattr/listxattr size truncation
- [arm64] clk: qcom: clk-alpha-pll: Fix the pll post div mask
- [arm64] clk: qcom: clk-alpha-pll: Fix the trion pll postdiv set rate API
- can: mcp251x: fix deadlock if an interrupt occurs during mcp251x_open
(CVE-2024-46791)
- tracing: Avoid possible softlockup in tracing_iter_reset()
- ila: call nf_unregister_net_hooks() sooner (CVE-2024-46782)
- sched: sch_cake: fix bulk flow accounting logic for host fairness
(CVE-2024-46828)
- nilfs2: fix missing cleanup on rollforward recovery error
(CVE-2024-46781)
- nilfs2: fix state management in error path of log writing function
- btrfs: fix use-after-free after failure to create a snapshot
(CVE-2022-48733)
- mptcp: pm: avoid possible UaF when selecting endp (CVE-2024-44974)
- nfsd: move reply cache initialization into nfsd startup
- nfsd: move init of percpu reply_cache_stats counters back to
nfsd_init_net
- NFSD: Refactor nfsd_reply_cache_free_locked()
- NFSD: Rename nfsd_reply_cache_alloc()
- NFSD: Replace nfsd_prune_bucket()
- NFSD: Refactor the duplicate reply cache shrinker
- NFSD: simplify error paths in nfsd_svc()
- NFSD: Fix frame size warning in svc_export_parse()
- sunrpc: don't change ->sv_stats if it doesn't exist
- nfsd: stop setting ->pg_stats for unused stats
- sunrpc: pass in the sv_stats struct through svc_create_pooled
- sunrpc: remove ->pg_stats from svc_program
- sunrpc: use the struct net as the svc proc private
- nfsd: rename NFSD_NET_* to NFSD_STATS_*
- nfsd: expose /proc/net/sunrpc/nfsd in net namespaces
- nfsd: make all of the nfsd stats per-network namespace
- nfsd: remove nfsd_stats, make th_cnt a global counter
- nfsd: make svc_stat per-network namespace instead of global
- ALSA: hda: Add input value sanity checks to HDMI channel map controls
- [armhf] irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
- af_unix: Remove put_pid()/put_cred() in copy_peercred().
- netfilter: nf_conncount: fix wrong variable type
- udf: Avoid excessive partition lengths (CVE-2024-46777)
- media: vivid: fix wrong sizeimage value for mplane
- wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
- usb: uas: set host status byte on data completion error
- media: vivid: don't set HDMI TX controls if there are no HDMI outputs
- [x86] pcmcia: Use resource_size function on resource object
- can: bcm: Remove proc entry when dev is unregistered. (CVE-2024-46771)
- igb: Fix not clearing TimeSync interrupts for 82580
- svcrdma: Catch another Reply chunk overflow case
- [x86] platform/x86: dell-smbios: Fix error path in dell_smbios_init()
- tcp_bpf: fix return value of tcp_bpf_sendmsg() (CVE-2024-46783)
- igc: Unlock on error in igc_io_resume()
- drivers/net/usb: Remove all strcpy() uses
- net: usb: don't write directly to netdev->dev_addr
- usbnet: modern method to get random MAC
- gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers
- gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers
- fou: Fix null-ptr-deref in GRO. (CVE-2024-46763)
- net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
- ASoC: topology: Properly initialize soc_enum values
- dm init: Handle minors larger than 255
- [x86] iommu/vt-d: Handle volatile descriptor status read
- cgroup: Protect css->cgroup write under css_set_lock
- um: line: always fill *error_out in setup_one_line() (CVE-2024-46844)
- devres: Initialize an uninitialized struct member
- hwmon: (
adc128d818) Fix underflows seen when writing limit attributes
(CVE-2024-46759)
- hwmon: (lm95234) Fix underflows seen when writing limit attributes
(CVE-2024-46758)
- hwmon: (nct6775-core) Fix underflows seen when writing limit attributes
(CVE-2024-46757)
- hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
(CVE-2024-46756)
- libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
- wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
(CVE-2024-46755)
- btrfs: replace BUG_ON with ASSERT in walk_down_proc()
- btrfs: clean up our handling of refs == 0 in snapshot delete
(CVE-2024-46840)
- PCI: Add missing bridge lock to pci_bus_lock() (CVE-2024-46750)
- HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
(CVE-2024-46747)
- Input: uinput - reject requests with unreasonable number of slots
(CVE-2024-46745)
- usbnet: ipheth: race between ipheth_close and error handling
- Squashfs: sanity check symbolic link size (CVE-2024-46744)
- of/irq: Prevent device address out-of-bounds read in interrupt map walk
(CVE-2024-46743)
- lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
- NFSv4: Add missing rescheduling points in
nfs_client_return_marked_delegations
- iio: buffer-dmaengine: fix releasing dma channel on error
- iio: fix scale application in iio_convert_raw_to_processed_unlocked
- iio: adc: ad7124: fix chip ID mismatch
- binder: fix UAF caused by offsets overwrite (CVE-2024-46740)
- nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc
- [x86] uio_hv_generic: Fix kernel NULL pointer dereference in
hv_uio_rescind (CVE-2024-46739)
- [x86] Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic
- [x86] VMCI: Fix use-after-free when removing resource in
vmci_resource_remove() (CVE-2024-46738)
- clocksource/drivers/timer-of: Remove percpu irq related code
- uprobes: Use kzalloc to allocate xol area
- perf/aux: Fix AUX buffer serialization (CVE-2024-46713)
- nilfs2: replace snprintf in show functions with sysfs_emit
- nilfs2: protect references to superblock parameters exposed in sysfs
(CVE-2024-46780)
- ACPI: processor: Return an error if acpi_processor_get_info() fails in
processor_add()
- ACPI: processor: Fix memory leaks in error paths of processor_add()
- [arm64] acpi: Move get_cpu_for_acpi_id() to a header
- [arm64] acpi: Harden get_cpu_for_acpi_id() against missing CPU entry
(CVE-2024-46822)
- nvmet-tcp: fix kernel crash if commands allocation fails (CVE-2024-46737)
- mmc: cqhci: Fix checking of CQHCI_HALT state
- rtmutex: Drop rt_mutex::wait_lock before scheduling (CVE-2024-46829)
- [i386] x86/mm: Fix PTI for i386 some more
- net, sunrpc: Remap EPERM in case of connection failure in
xs_tcp_setup_socket (CVE-2024-42246)
- memcg: protect concurrent access to mem_cgroup_idr (CVE-2024-43892)
[ Ben Hutchings ]
* Drop "netfilter: ipset: Add list flush to cancel_gc", included in 5.10.224
* Bump ABI to 33
* debian/README.source: Tag signatures are automatically verified
* d/bin/genorig.py, d/README.source: Only support Git as upstream
* d/bin/genorig.py, d/README.source: Add support for remote upstream repos
* lintian: Refresh lintian-overrides
* d/bin/gencontrol.py, d/lib/python: Use classes for build restriction
formulae
* d/bin/gencontrol.py, d/rules.real: Replace DEBUG variable with if_package
* Introduce pkg.linux.quick build profile for quicker CI builds
* d/salsa-ci.yml: Add CI config using some of the common pipeline
* d/salsa-ci.yml, d/tests/python: Only run static checks in CI
* d/salsa-ci.yml: Run kconfigeditor2 as kconfig static check
* d/salsa-ci.yml: Use per-release cache of orig tarballs
* d/bin/gencontrol_signed.py: Add support for pkg.linux.quick profile
* lintian: Add lintian-overrides to linux-signed-* for non-issues
* d/salsa-ci.yml: Don't disable signed code
* d/certs: Add certificate and key to enable test signing in CI
* d/salsa-ci.yml: Add jobs to build and test the signed packages
* d/tests: Remove obsolete dependencies of python test
* d/tests: Add kbuild test that builds a trivial OOT module
* lintian: Update overrides for lintian 2.115
* d/tests: kbuild test case depends on python3
* d/tests: Run kbuild test with default flavour if quick flavour not defined
* d/lib/python/debian_linux/debian.py: Add Architecture field to TestsControl
* d/tests: Restrict kbuild tests to architectures with default or quick
flavour
* d/tests/kbuild: Fix default-flavour lookup for arches with no featuresets
* d/tests/kbuild: Make flavour lookup verbose
* d/lib/python/debian_linux, d/templates: Use variable for binary package
name
* lintian: Update overrides in linux-image-*-dbg for lintian 2.115
* [arm64] lintian: Override errors for vdso32.so in linux-image-*-dbg
* d/salsa-ci.yml: Use !reference to include scripts from common pipeline
* d/salsa-ci.yml: Remove obsolete lintian error suppressions
* d/salsa-ci.yml: Run extract-source job in target release, not unstable
* d/salsa-ci.yml: Set RELEASE to bullseye
* d/config: Delete config settings for removed and automatic symbols
* hyperv-daemons: Add lintian-override for depends-on-obsolete-package
* [rt] Update to 5.10.225-rt117
* [rt] Refresh patches:
- Refresh "locking/rtmutex: Remove output from deadlock detector."
- Refresh "locking/rtmutex: Provide rt_mutex_slowlock_locked()"
- Refresh "locking/rtmutex: add ww_mutex addon for mutex-rt"
* cgroup: Fix locking regression in 5.10.225:
- cgroup: Make operations on the cgroup root_list RCU safe
- cgroup: Move rcu_head up near the top of cgroup_roo
* [x86] Fix CPU matching regression in 5.10.221:
- Input: goodix - use the new soc_intel_is_byt() helper
- powercap: RAPL: fix invalid initialization for pl4_supported field
- x86/mm: Switch to new Intel CPU model defines
* bpf: Fix memory accounting regression in 5.10.214:
- Revert "bpf: Fix DEVMAP_HASH overflow check on 32-bit arches"
- Revert "bpf: Eliminate rlimit-based memory accounting for devmap maps"
- bpf: Fix DEVMAP_HASH overflow check on 32-bit arches
[ Mateusz Ĺukasik ]
* d/salsa-ci.yml: Add linux-compiler-* packages to build-signed job artifacts
[ Martyn Welch ]
* Increase timeout of CI build stage to 3 hours to enable build to complete
[dgit import unpatched linux 5.10.226-1]
projects / linux.git / log