[PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.
The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance. Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name af_802154-Disable-auto-loading-as-mitigation-against.patch
Tweak gitignore for Debian pkg-kernel using git svn.
Forwarded: not-needed
[bwh: Tweak further for pure git]
Gbp-Pq: Topic debian
Gbp-Pq: Name gitignore.patch
linux (6.1.69-1) bookworm-security; urgency=high
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.68
- hrtimers: Push pending hrtimers away from outgoing CPU earlier
- i2c: designware: Fix corrupted memory seen in the ISR
- netfilter: ipset: fix race condition between swap/destroy and kernel side
add/del/test
- tg3: Move the [rt]x_dropped counters to tg3_napi
- tg3: Increment tx_dropped in tg3_tso_bug()
- kconfig: fix memory leak from range properties
- drm/amdgpu: correct chunk_ptr to a pointer to chunk.
- [x86] Introduce ia32_enabled()
- [amd64] x86/coco: Disable 32-bit emulation by default on TDX and SEV
- [x86] entry: Convert INT 0x80 emulation to IDTENTRY
- [x86] entry: Do not allow external 0x80 interrupts
- [x86] tdx: Allow 32-bit emulation by default
- [x86] platform/x86: asus-wmi: Move i8042 filter install to shared asus-wmi
code
- [powerpc*] of: dynamic: Fix of_reconfig_get_state_change() return value
documentation
- [x86] platform/x86: wmi: Skip blocks with zero instances
- ipv6: fix potential NULL deref in fib6_add()
- hv_netvsc: rndis_filter needs to select NLS
- r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
- r8152: Add RTL8152_INACCESSIBLE checks to more loops
- r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash()
- r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1()
- r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en()
- arcnet: restoring support for multiple Sohard Arcnet cards
- net: stmmac: fix FPE events losing
- xsk: Skip polling event check for unbound socket
- i40e: Fix unexpected MFS warning message
- iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero
- net: bnxt: fix a potential use-after-free in bnxt_init_tc
- tcp: fix mid stream window clamp.
- ionic: fix snprintf format length warning
- ionic: Fix dim work handling in split interrupt mode
- ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
- net: atlantic: Fix NULL dereference of skb pointer in
- [arm64] net: hns: fix wrong head when modify the tx feature when sending
packets
- [arm64] net: hns: fix fake link up on xge port
- netfilter: nft_exthdr: add boolean DCCP option matching
- netfilter: nf_tables: fix 'exist' matching on bigendian arches
- netfilter: nf_tables: bail out on mismatching dynset and set expressions
(CVE-2023-6622)
- netfilter: nf_tables: validate family when identifying table via handle
- netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
- tcp: do not accept ACK of bytes we never sent
- bpf: sockmap, updating the sg structure should also update curr
- psample: Require 'CAP_NET_ADMIN' when joining "packets" group
- drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
- [arm64] tee: optee: Fix supplicant based device enumeration
- [arm64] RDMA/hns: Fix unnecessary err return when using invalid congest
control algorithm
- RDMA/irdma: Do not modify to SQD on error
- RDMA/irdma: Add wait for suspend on SQD
- [arm64] ASoC: fsl_sai: Fix no frame sync clock issue on i.MX8MP
- RDMA/irdma: Refactor error handling in create CQP
- RDMA/irdma: Fix UAF in irdma_sc_ccq_get_cqe_info()
- [x86] hwmon: (acpi_power_meter) Fix 4.29 MW bug
- [x86] ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
- RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz
- RDMA/irdma: Avoid free the non-cqp_request scratch
- [arm64] dts: imx8mq: drop usb3-resume-missing-cas from usb
- [arm64] dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3
- tracing: Fix a warning when allocating buffered events fails
- scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
- [armhf] imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
- md: introduce md_ro_state
- md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly()
- iommu: Avoid more races around device probe
- [x86] rethook: Use __rcu pointer for rethook::handler
- kprobes: consistent rcu api usage for kretprobe holder
- [x86] ASoC: amd: yc: Fix non-functional mic on ASUS
E1504FA
- io_uring/af_unix: disable sending io_uring over sockets (CVE-2023-6531)
- nvme-pci: Add sleep quirk for Kingston drives
- io_uring: fix mutex_unlock with unreferenced ctx
- ALSA: usb-audio: Add Pioneer DJM-450 mixer controls
- ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
- ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
- ALSA: hda/realtek: add new Framework laptop to quirks
- ALSA: hda/realtek: Add Framework laptop 16 to quirks
- ring-buffer: Test last update in 32bit version of __rb_time_read()
- nilfs2: fix missing error check for sb_set_blocksize call
- nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
- cgroup_freezer: cgroup_freezing: Check if not frozen
- checkstack: fix printed address
- tracing: Always update snapshot buffer size
- tracing: Disable snapshot buffer when stopping instance tracers
- tracing: Fix incomplete locking when disabling buffered events
- tracing: Fix a possible race when disabling buffered events
- packet: Move reference count in packet_sock to atomic_long_t
- r8169: fix rtl8125b PAUSE frames blasting when suspended
- regmap: fix bogus error on regcache_sync success
- [x86] platform/surface: aggregator: fix recv_buf() return value
- hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
- mm: fix oops when filemap_map_pmd() without prealloc_pte
- md/raid6: use valid sector values to determine if an I/O should wait on
the reshape
- [arm*] binder: fix memory leaks of spam and pending work
- [arm64] coresight: etm4x: Make etm4_remove_dev() return void
- [arm64] coresight: etm4x: Remove bogous __exit annotation for some
functions
- hwtracing: hisi_ptt: Add dummy callback pmu::read()
- [x86] misc: mei: client.c: return negative error code in mei_cl_write
- [x86] misc: mei: client.c: fix problem of return '-EOVERFLOW' in
mei_cl_write
- ring-buffer: Force absolute timestamp on discard of event
- tracing: Set actual size after ring buffer resize
- tracing: Stop current tracer when resizing buffer
- perf: Fix perf_event_validate_size() (CVE-2023-6931)
- [x86] sev: Fix kernel crash due to late update to read-only ghcb_version
- gpiolib: sysfs: Fix error handling on failed export
- drm/amdgpu: fix memory overflow in the IB test
- drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c
- drm/amdgpu: correct the amdgpu runtime dereference usage count
- drm/amdgpu: Update ras eeprom support for smu v13_0_0 and v13_0_10
- drm/amdgpu: Add EEPROM I2C address support for ip discovery
- drm/amdgpu: Remove redundant I2C EEPROM address
- drm/amdgpu: Decouple RAS EEPROM addresses from chips
- drm/amdgpu: Add support for RAS table at 0x40000
- drm/amdgpu: Remove second moot switch to set EEPROM I2C address
- drm/amdgpu: Return from switch early for EEPROM I2C address
- drm/amdgpu: simplify amdgpu_ras_eeprom.c
- drm/amdgpu: Add I2C EEPROM support on smu v13_0_6
- drm/amdgpu: Update EEPROM I2C address for smu v13_0_0
- usb: gadget: f_hid: fix report descriptor allocation
- serial: 8250_dw: Add ACPI ID for Granite Rapids-D UART
- parport: Add support for Brainboxes IX/UC/PX parallel cards
- cifs: Fix non-availability of dedup breaking generic/304
- Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1"
- smb: client: fix potential NULL deref in parse_dfs_referrals()
- usb: typec: class: fix typec_altmode_put_partner to put plugs
- [arm64,armhf] PL011: Fix DMA support
- [arm64] serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit
- [arm64] serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt
- [arm64] serial: 8250_omap: Add earlycon support for the AM654 UART
controller
- devcoredump: Send uevent once devcd is ready
- [x86] CPU/AMD: Check vendor in the AMD microcode callback
- USB: gadget: core: adjust uevent timing on gadget unbind
- cifs: Fix flushing, invalidation and file size with copy_file_range()
- cifs: Fix flushing, invalidation and file size with FICLONE
- [mips*] kernel: Clear FPU states when setting up kernel threads
(Closes: #
1055021)
- [s390x] KVM: s390/mm: Properly reset no-dat
- [x86] KVM: SVM: Update EFER software model on CR0 trap for SEV-ES
- netfilter: nft_set_pipapo: skip inactive elements during set walk
(CVE-2023-6817)
- [x86] drm/i915/display: Drop check for doublescan mode in modevalid
- [x86] drm/i915/lvds: Use REG_BIT() & co.
- [x86] drm/i915/sdvo: stop caching has_hdmi_monitor in struct intel_sdvo
- [x86] drm/i915: Skip some timing checks on BXT/GLK DSI transcoders
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.69
- [x86] perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table
- r8152: add USB device driver for config selection
- r8152: add vendor/device ID pair for D-Link DUB-E250
- r8152: add vendor/device ID pair for ASUS USB-C2500
- [powerpc*] ftrace: Fix stack teardown in ftrace_no_trace
- ext4: fix warning in ext4_dio_write_end_io()
- ksmbd: fix memory leak in smb2_lock()
- afs: Fix refcount underflow from error handling race (Closes: #
1052304)
- HID: lenovo: Restrict detection of patched firmware only to USB cptkbd
(Closes: #
1058758)
- net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work
- net: ipv6: support reporting otherwise unknown prefix flags in
RTM_NEWPREFIX
- bnxt_en: Clear resource reservation during resume
- bnxt_en: Save ring error counters across reset
- bnxt_en: Fix wrong return value check in bnxt_close_nic()
- bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic
- atm: solos-pci: Fix potential deadlock on &cli_queue_lock
- atm: solos-pci: Fix potential deadlock on &tx_queue_lock
- net: vlan: introduce skb_vlan_eth_hdr()
- net: fec: correct queue selection
- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780)
- net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782)
- iavf: Introduce new state machines for flow director
- iavf: Handle ntuple on/off based on new state machines for flow director
- qed: Fix a potential use-after-free in qed_cxt_tables_alloc
- net: Remove acked SYN flag from packet in the transmit queue correctly
- net: ena: Destroy correct number of xdp queues upon failure
- net: ena: Fix xdp drops handling due to multibuf packets
- net: ena: Fix XDP redirection error
- sign-file: Fix incorrect return values check
- vsock/virtio: Fix unsigned integer wrap around in
virtio_transport_has_space()
- net: stmmac: Handle disabled MDIO busses from devicetree
- appletalk: Fix Use-After-Free in atalk_ioctl (CVE-2023-51781)
- net: atlantic: fix double free in ring reinit logic
- cred: switch to using atomic_long_t
- fuse: dax: set fc->dax to NULL in fuse_dax_conn_free()
- ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB
- ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants
- ALSA: hda/realtek: Apply mute LED quirk for HP15-db
- Revert "PCI: acpiphp: Reassign resources on bridge if necessary"
- [mips*] PCI: loongson: Limit MRRS to 256 (Closes: #
1035587)
- ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE
- [x86] hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM
- usb: aqc111: check packet for fixup for true limit
- blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock
required!"
- blk-cgroup: bypass blkcg_deactivate_policy after destroying
- bcache: avoid oversize memory allocation by small stripe_size
- bcache: remove redundant assignment to variable cur_idx
- bcache: add code comments for bch_btree_node_get() and
__bch_btree_node_alloc()
- bcache: avoid NULL checking to c->root in run_cache_set()
- nbd: fold nbd config initialization into nbd_alloc_config()
- nvme-auth: set explanation code for failure2 msgs
- nvme: catch errors from nvme_configure_metadata()
- [x86] platform/x86: intel_telemetry: Fix kernel doc descriptions
- HID: glorious: fix Glorious Model I HID report
- HID: add ALWAYS_POLL quirk for Apple kb
- nbd: pass nbd_sock to nbd_read_reply() instead of index
- HID: hid-asus: reset the backlight brightness level on resume
- HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
- asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation
- net: usb: qmi_wwan: claim interface 4 for ZTE MF290
- [arm64] add dependency between vmlinuz.efi and Image
- HID: hid-asus: add const to read-only outgoing usb buffer
- perf: Fix perf_event_validate_size() lockdep splat
- btrfs: do not allow non subvolume root targets for snapshot
- soundwire: stream: fix NULL pointer dereference for multi_link
- ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
- [arm64] mm: Always make sw-dirty PTEs hw-dirty in pte_modify
- team: Fix use-after-free when an option instance allocation fails
- drm/amdgpu/sdma5.2: add begin/end_use ring callbacks
- dmaengine: stm32-dma: avoid bitfield overflow assertion
- mm/mglru: fix underprotected page cache
- mm/shmem: fix race in shmem_undo_range w/THP
- btrfs: free qgroup reserve when ORDERED_IOERR is set
- btrfs: don't clear qgroup reserved bit in release_folio
- drm/amdgpu: fix tear down order in amdgpu_vm_pt_free
- drm/amd/display: Disable PSR-SU on Parade 0803 TCON again
- [x86] drm/i915: Fix remapped stride with CCS on ADL+
- smb: client: fix OOB in receive_encrypted_standard()
- smb: client: fix NULL deref in asn1_ber_decoder()
- smb: client: fix OOB in smb2_query_reparse_point()
- ring-buffer: Fix memory leak of free page
- tracing: Update snapshot buffer on resize if it is allocated
- ring-buffer: Do not update before stamp when switching sub-buffers
- ring-buffer: Have saved event hold the entire event
- ring-buffer: Fix writing to the buffer with max_data_size
- ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs
- ring-buffer: Do not try to put back write_stamp
- ring-buffer: Have rb_time_cmpxchg() set the msb counter too
- net: tls, update curr on splice as well
- r8152: avoid to change cfg for all devices
- r8152: remove rtl_vendor_mode function
- r8152: fix the autosuspend doesn't work
[ Salvatore Bonaccorso ]
* Bump ABI to 17
* [rt] Update to 6.1.69-rt21
* [arm64] drivers/vfio: Don't enable VFIO_NOIOMMU.
This is a breach of the integrity lockdown requirement of secure boot
and thus cannot be enabled.
Thanks to Bastian Blank and Ben Hutchings
* Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
(CVE-2023-51779)
* netfilter: nf_tables: skip set commit for deleted/destroyed sets
* Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity"
(Closes: #
1059624)
[dgit import unpatched linux 6.1.69-1]
projects / linux.git / log