Ubuntu
linux package

Focal update: v5.4.250 upstream stable release

Bug #2033297 reported by Roxana Nicolescu on 2023-08-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned
	Focal	Fix Released	Medium	Roxana Nicolescu

Bug Description

SRU Justification

    Impact:
       The upstream process for stable tree updates is quite similar
       in scope to the Ubuntu SRU process, e.g., each patch has to
       demonstrably fix a bug, and each patch is vetted by upstream
       by originating either directly from a mainline/stable Linux tree or
       a minimally backported form of that patch. The following upstream
       stable patches should be included in the Ubuntu kernel:

v5.4.250 upstream stable release

Note: This patch set (v5.4.250) consisted of 4 patches, but 2 of them were
already applied to focal.

from git://git.kernel.org/

x86/microcode/AMD: Load late on both threads too
Linux 5.4.250
UBUNTU: Upstream stable to v5.4.250

See original description

Tags:

CVE References

Roxana Nicolescu (roxanan) on 2023-08-28

Changed in linux (Ubuntu):
status:	New → Confirmed
tags:	added: kernel-stable-tracking-bug
Changed in linux (Ubuntu):
status:	Confirmed → Invalid
Changed in linux (Ubuntu Focal):
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Roxana Nicolescu (roxanan)
description:	updated

Roxana Nicolescu (roxanan) on 2023-08-28

description:

updated

Stefan Bader (smb) on 2023-09-15

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-10-30:

Download full text (26.1 KiB)

This bug was fixed in the package linux - 5.4.0-166.183

---------------
linux (5.4.0-166.183) focal; urgency=medium

* focal/linux: 5.4.0-166.183 -proposed tracker (LP: #2038010)

  * Use new annotations model (LP: #2019000)
    - [Packaging] new annotations model infrastructure
    - [Packaging] config-check: Handle new annotations format 4
    - [Packaging] rules: Use old-kernelconfig for old configs
    - [Config] sanitize annotations
    - [Config] import generated configs into annotation file
    - [Packaging] kernelconfig: add i386 as supported arch
    - [Config] Remove all old configs files

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
    - [Packaging] update annotations scripts

  * fix typo in config-checks invocation (LP: #2020413)
    - [Packaging] fix typo when calling the old config-check
    - [Packaging] fix typo in 4-checks.mk

* support python < 3.9 with annotations (LP: #2020531)
- [Packaging] kconfig/annotations.py: support older way of merging dicts

* CVE-2023-42756
- netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP

* CVE-2023-4623
- net/sched: sch_hfsc: Ensure inner classes have fsc curve

  * Focal update: v5.4.252 upstream stable release (LP: #2036240)
    - ia64/cpu: Switch to arch_cpu_finalize_init()
    - m68k/cpu: Switch to arch_cpu_finalize_init()
    - mips/cpu: Switch to arch_cpu_finalize_init()
    - sh/cpu: Switch to arch_cpu_finalize_init()
    - x86/cpufeatures: Add SEV-ES CPU feature
    - x86/cpu: Add VM page flush MSR availablility as a CPUID feature
    - x86/cpufeatures: Assign dedicated feature word for CPUID_0x8000001F[EAX]
    - tools headers cpufeatures: Sync with the kernel sources
    - x86/cpu, kvm: Add support for CPUID_80000021_EAX
    - Linux 5.4.252
    - Upstream stable to v5.4.252

  * CVE-2023-42755
    - net/sched: Retire rsvp classifier
    - [Config] remove NET_CLS_RSVP and NET_CLS_RSVP6

  * CVE-2023-42753
    - netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for
      ip_set_hash_netportnet.c

* CVE-2023-34319
- xen/netback: Fix buffer overrun triggered by unusual packet

* CVE-2023-4921
- net: sched: sch_qfq: Fix UAF in qfq_dequeue()

* CVE-2023-42752
- igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU

* Avoid address overwrite in kernel_connect (LP: #2035163)
- net: Avoid address overwrite in kernel_connect

  * [regression] Unable to initialize SGX enclaves with XFRM other than 3
    (LP: #2034745)
    - x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4

* CVE-2023-4881
- netfilter: nftables: exthdr: fix 4-byte stack OOB write

* CVE-2023-4622
- af_unix: Fix null-ptr-deref in unix_stream_sendpage().

This bug was fixed in the package linux - 5.4.0-166.183

---------------
linux (5.4.0-166.183) focal; urgency=medium

* focal/linux: 5.4.0-166.183 -proposed tracker (LP: #2038010)

* Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts
    - [Packaging] update annotations scripts

* fix typo in config-checks invocation (LP: #2020413)
    - [Packaging] fix typo when calling the old config-check
    - [Packaging] fix typo in 4-checks.mk

* support python < 3.9 with annotations (LP: #2020531)
    - [Packaging] kconfig/annotations.py: support older way of merging dicts

* CVE-2023-42756
    - netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP

* CVE-2023-4623
    - net/sched: sch_hfsc: Ensure inner classes have fsc curve

* CVE-2023-42755
    - net/sched: Retire rsvp classifier
    - [Config] remove NET_CLS_RSVP and NET_CLS_RSVP6

* CVE-2023-42753
    - netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for
      ip_set_hash_netportnet.c

* CVE-2023-34319
    - xen/netback: Fix buffer overrun triggered by unusual packet

* CVE-2023-4921
    - net: sched: sch_qfq: Fix UAF in qfq_dequeue()

* CVE-2023-42752
    - igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU

* Avoid address overwrite in kernel_connect (LP: #2035163)
    - net: Avoid address overwrite in kernel_connect

* [regression] Unable to initialize SGX enclaves with XFRM other than 3
    (LP: #2034745)
    - x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4

* CVE-2023-4881
    - netfilter: nftables: exthdr: fix 4-byte stack OOB write

* CVE-2023-4622
    - af_unix: Fix null-ptr-deref in unix_stream_sendpage().

* Focal update: v5.4.251 upstream stable release (LP: #2034918)
    - x86/smp: Use dedicated cache-line for mwait_play_dead()
    - video: imsttfb: check for ioremap() failures
    - fbdev: imsttfb: Fix use after free bug in imsttfb_probe
    - HID: wacom: Use ktime_t rather than int when dealing with timestamps
    - drm/i915: Initialise outparam for error return from wait_for_register
    - scripts/tags.sh: Resolve gtags empty index generation
    - drm/amdgpu: Validate VM ioctl flags.
    - bgmac: fix *initial* chip reset to support BCM5358
    - x86/resctrl: Use is_closid_match() in more places
    - x86/resctrl: Only show tasks' pid in current pid namespace
    - md/raid10: check slab-out-of-bounds in md_bitmap_get_counter
    - md/raid10: fix overflow of md/safe_mode_delay
    - md/raid10: fix wrong setting of max_corr_read_errors
    - md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request
    - md/raid10: fix io loss while replacement replace rdev
    - irqchip/jcore-aic: Kill use of irq_create_strict_mappings()
    - irqchip/jcore-aic: Fix missing allocation of IRQ descriptors
    - tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode().
    - clocksource/drivers/cadence-ttc: Use ttc driver as platform driver
    - clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe
    - PM: domains: fix integer overflow issues in genpd_parse_state()
    - powercap: RAPL: Fix CONFIG_IOSF_MBI dependency
    - ARM: 9303/1: kprobes: avoid missing-declaration warnings
    - evm: Complete description of evm_inode_setattr()
    - pstore/ram: Add check for kstrdup
    - ima: Fix build warnings
    - wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation
    - wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
    - samples/bpf: Fix buffer overflow in tcp_basertt
    - spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG
    - wifi: mwifiex: Fix the size of a memory allocation in
      mwifiex_ret_802_11_scan()
    - nfc: constify several pointers to u8, char and sk_buff
    - nfc: llcp: fix possible use of uninitialized variable in
      nfc_llcp_send_connect()
    - regulator: core: Fix more error checking for debugfs_create_dir()
    - regulator: core: Streamline debugfs operations
    - wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
    - wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
    - wifi: atmel: Fix an error handling path in atmel_probe()
    - wl3501_cs: Fix a bunch of formatting issues related to function docs
    - wl3501_cs: Remove unnecessary NULL check
    - wl3501_cs: Fix misspelling and provide missing documentation
    - net: create netdev->dev_addr assignment helpers
    - wl3501_cs: use eth_hw_addr_set()
    - wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
    - wifi: ray_cs: Utilize strnlen() in parse_addr()
    - wifi: ray_cs: Drop useless status variable in parse_addr()
    - wifi: ray_cs: Fix an error handling path in ray_probe()
    - wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
    - wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown
    - watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct
      config
    - watchdog/perf: more properly prevent false positives with turbo modes
    - kexec: fix a memory leak in crash_shrink_memory()
    - memstick r592: make memstick_debug_get_tpc_name() static
    - wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
    - rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO
    - wifi: iwlwifi: pull from TXQs with softirqs disabled
    - wifi: cfg80211: rewrite merging of inherited elements
    - wifi: ath9k: convert msecs to jiffies where needed
    - netlink: fix potential deadlock in netlink_set_err()
    - netlink: do not hard code device address lenth in fdb dumps
    - selftests: rtnetlink: remove netdevsim device after ipsec offload test
    - gtp: Fix use-after-free in __gtp_encap_destroy().
    - lib/ts_bm: reset initial match offset for every block of text
    - netfilter: conntrack: dccp: copy entire header to stack buffer, not just
      basic one
    - netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return
      value.
    - ipvlan: Fix return value of ipvlan_queue_xmit()
    - netlink: Add __sock_i_ino() for __netlink_diag_dump().
    - radeon: avoid double free in ci_dpm_init()
    - Input: drv260x - sleep between polling GO bit
    - ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
    - Input: adxl34x - do not hardcode interrupt trigger type
    - drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks`
    - RDMA/bnxt_re: Fix to remove an unnecessary log
    - ARM: dts: gta04: Move model property out of pinctrl node
    - arm64: dts: qcom: msm8916: correct camss unit address
    - drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
    - ARM: ep93xx: fix missing-prototype warnings
    - memory: brcmstb_dpfe: fix testing array offset after use
    - ASoC: es8316: Increment max value for ALC Capture Target Volume control
    - ASoC: es8316: Do not set rate constraints for unsupported MCLKs
    - soc/fsl/qe: fix usb.c build errors
    - IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors
    - arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1
    - fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()
    - drm/amdkfd: Fix potential deallocation of previously deallocated memory.
    - drm/radeon: fix possible division-by-zero errors
    - clk: tegra: tegra124-emc: Fix potential memory leak
    - ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
    - clk: cdce925: check return value of kasprintf()
    - clk: keystone: sci-clk: check return value of kasprintf()
    - ASoC: imx-audmix: check return value of devm_kasprintf()
    - scsi: qedf: Fix NULL dereference in error handling
    - PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free
    - scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe()
    - PCI: pciehp: Cancel bringup sequence if card is not present
    - PCI: ftpci100: Release the clock resources
    - PCI: Add pci_clear_master() stub for non-CONFIG_PCI
    - pinctrl: cherryview: Return correct value if pin in push-pull mode
    - perf dwarf-aux: Fix off-by-one in die_get_varname()
    - pinctrl: at91-pio4: check return value of devm_kasprintf()
    - powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-
      boundary
    - hwrng: virtio - add an internal buffer
    - hwrng: virtio - don't wait on cleanup
    - hwrng: virtio - don't waste entropy
    - hwrng: virtio - always add a pending request
    - hwrng: virtio - Fix race on data_avail and actual data
    - crypto: nx - fix build warnings when DEBUG_FS is not enabled
    - modpost: fix section mismatch message for R_ARM_ABS32
    - modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
    - crypto: marvell/cesa - Fix type mismatch warning
    - modpost: fix off by one in is_executable_section()
    - ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard
    - NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION
    - hwrng: st - Fix W=1 unused variable warning
    - hwrng: st - keep clock enabled while hwrng is registered
    - USB: serial: option: add LARA-R6 01B PIDs
    - usb: dwc3: gadget: Propagate core init errors to UDC during pullup
    - block: fix signed int overflow in Amiga partition support
    - block: change all __u32 annotations to __be32 in affs_hardblocks.h
    - w1: fix loop in w1_fini()
    - sh: j2: Use ioremap() to translate device tree address into kernel memory
    - media: usb: Check az6007_read() return value
    - media: videodev2.h: Fix struct v4l2_input tuner index comment
    - usb: dwc3: qcom: Fix potential memory leak
    - extcon: Fix kernel doc of property fields to avoid warnings
    - extcon: Fix kernel doc of property capability fields to avoid warnings
    - usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()
    - usb: hide unused usbfs_notify_suspend/resume functions
    - mfd: rt5033: Drop rt5033-battery sub-device
    - KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
    - usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove()
    - mfd: intel-lpss: Add missing check for platform_get_resource
    - serial: 8250_omap: Use force_suspend and resume for system suspend
    - mfd: stmfx: Fix error path in stmfx_chip_init
    - KVM: s390: vsie: fix the length of APCB bitmap
    - mfd: stmpe: Only disable the regulators if they are enabled
    - pwm: imx-tpm: force 'real_period' to be zero in suspend
    - pwm: sysfs: Do not apply state to already disabled PWMs
    - rtc: st-lpc: Release some resources in st_rtc_probe() in case of error
    - sctp: fix potential deadlock on &net->sctp.addr_wq_lock
    - Add MODULE_FIRMWARE() for FIRMWARE_TG357766.
    - spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
    - mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0
    - f2fs: fix error path handling in truncate_dnode()
    - powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y
    - net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode
    - tcp: annotate data races in __tcp_oow_rate_limited()
    - xsk: Improve documentation for AF_XDP
    - xsk: Honor SO_BINDTODEVICE on bind
    - net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX
    - net: dsa: tag_sja1105: fix MAC DA patching from meta frames
    - sh: dma: Fix DMA channel offset calculation
    - i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in xiic_process()
    - i2c: xiic: Don't try to handle more interrupt events after error
    - ALSA: jack: Fix mutex call in snd_jack_report()
    - NFSD: add encoding of op_recall flag for write delegation
    - mmc: core: disable TRIM on Kingston EMMC04G-M627
    - mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M
    - mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is
      used.
    - bcache: Remove unnecessary NULL point check in node allocations
    - integrity: Fix possible multiple allocation in integrity_inode_get()
    - jffs2: reduce stack usage in jffs2_build_xattr_subsystem()
    - fs: avoid empty option when generating legacy mount string
    - ext4: Remove ext4 locking of moved directory
    - Revert "f2fs: fix potential corruption when moving a directory"
    - fs: Establish locking order for unrelated directories
    - fs: Lock moved directories
    - btrfs: fix race when deleting quota root from the dirty cow roots list
    - ARM: orion5x: fix d2net gpio initialization
    - fs: no need to check source
    - fanotify: disallow mount/sb marks on kernel internal pseudo fs
    - block: add overflow checks for Amiga partition support
    - netfilter: nf_tables: fix nat hook table deletion
    - netfilter: nftables: add helper function to set the base sequence number
    - netfilter: add helper function to set up the nfnetlink header and use it
    - netfilter: nf_tables: use net_generic infra for transaction data
    - netfilter: nf_tables: add rescheduling points during loop detection walks
    - netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound
      set/chain
    - netfilter: nf_tables: reject unbound anonymous set before commit phase
    - netfilter: nf_tables: unbind non-anonymous set if rule construction fails
    - netfilter: nf_tables: fix scheduling-while-atomic splat
    - netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
    - tty: serial: fsl_lpuart: add earlycon for imx8ulp platform
    - block/partition: fix signedness issue for Amiga partitions
    - net: lan743x: Don't sleep in atomic context
    - workqueue: clean up WORK_* constant types, clarify masking
    - drm/panel: Initialise panel dev and funcs through drm_panel_init()
    - drm/panel: Add and fill drm_panel type field
    - drm/panel: simple: Add connector_type for innolux_at043tn24
    - igc: Remove delay during TX ring configuration
    - igc: set TP bit in 'supported' and 'advertising' fields of
      ethtool_link_ksettings
    - scsi: qla2xxx: Fix error code in qla2x00_start_sp()
    - net: mvneta: fix txq_map in case of txq_number==1
    - ionic: improve irq numa locality
    - ionic: clean irq affinity on queue deinit
    - ionic: move irq request to qcq alloc
    - ionic: ionic_intr_free parameter change
    - ionic: remove WARN_ON to prevent panic_on_warn
    - icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev().
    - udp6: fix udp6_ehashfn() typo
    - ntb: idt: Fix error handling in idt_pci_driver_init()
    - NTB: amd: Fix error handling in amd_ntb_pci_driver_init()
    - ntb: intel: Fix error handling in intel_ntb_pci_driver_init()
    - NTB: ntb_transport: fix possible memory leak while device_register() fails
    - NTB: ntb_tool: Add check for devm_kcalloc
    - ipv6/addrconf: fix a potential refcount underflow for idev
    - platform/x86: wmi: Replace UUID redefinitions by their originals
    - platform/x86: wmi: Fix indentation in some cases
    - platform/x86: wmi: remove unnecessary argument
    - platform/x86: wmi: use guid_t and guid_equal()
    - platform/x86: wmi: move variables
    - platform/x86: wmi: Break possible infinite loop when parsing GUID
    - erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF
    - wifi: airo: avoid uninitialized warning in airo_get_rate()
    - cls_flower: Add extack support for src and dst port range options
    - net/sched: flower: Ensure both minimum and maximum ports are specified
    - net/sched: make psched_mtu() RTNL-less safe
    - pinctrl: amd: Fix mistake in handling clearing pins at startup
    - pinctrl: amd: Detect internal GPIO0 debounce handling
    - pinctrl: amd: Only use special debounce behavior for GPIO 0
    - tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation
    - mtd: rawnand: meson: fix unaligned DMA buffers handling
    - net: bcmgenet: Ensure MDIO unregistration has clocks enabled
    - powerpc: Fail build if using recordmcount with binutils v2.37
    - misc: fastrpc: Create fastrpc scalar with correct buffer count
    - SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
    - erofs: fix compact 4B support for 16k block size
    - ext4: fix wrong unit use in ext4_mb_clear_bb
    - ext4: only update i_reserved_data_blocks on successful block allocation
    - jfs: jfs_dmap: Validate db_l2nbperpage while mounting
    - PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold
    - PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
    - PCI: qcom: Disable write access to read only registers for IP v2.3.3
    - PCI: rockchip: Assert PCI Configuration Enable bit after probe
    - PCI: rockchip: Write PCI Device ID to correct register
    - PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked
    - PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core
    - PCI: rockchip: Use u32 variable to access 32-bit registers
    - PCI: rockchip: Set address alignment for endpoint mode
    - misc: pci_endpoint_test: Free IRQs before removing the device
    - misc: pci_endpoint_test: Re-init completion for every test
    - md/raid0: add discard support for the 'original' layout
    - fs: dlm: return positive pid value for F_GETLK
    - drm/atomic: Allow vblank-enabled + self-refresh "disable"
    - drm/rockchip: vop: Leave vblank enabled in self-refresh
    - serial: atmel: don't enable IRQs prematurely
    - firmware: stratix10-svc: Fix a potential resource leak in
      svc_create_memory_pool()
    - hwrng: imx-rngc - fix the timeout for init and self check
    - ceph: don't let check_caps skip sending responses for revoke msgs
    - meson saradc: fix clock divider mask length
    - Revert "8250: add support for ASIX devices with a FIFO bug"
    - tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in
      case of error
    - tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when
      iterating clk
    - tracing/histograms: Add histograms to hist_vars if they have referenced
      variables
    - ring-buffer: Fix deadloop issue on reading trace_pipe
    - xtensa: ISS: fix call to split_if_spec
    - tracing: Fix null pointer dereference in tracing_err_log_open()
    - tracing/probes: Fix not to count error code to total length
    - scsi: qla2xxx: Wait for io return on terminate rport
    - scsi: qla2xxx: Fix potential NULL pointer dereference
    - scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
    - scsi: qla2xxx: Correct the index of array
    - scsi: qla2xxx: Pointer may be dereferenced
    - scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
    - drm/atomic: Fix potential use-after-free in nonblocking commits
    - perf probe: Add test for regression introduced by switch to
      die_get_decl_file()
    - btrfs: fix warning when putting transaction with qgroups enabled after abort
    - fuse: revalidate: don't invalidate if interrupted
    - selftests: tc: set timeout to 15 minutes
    - can: bcm: Fix UAF in bcm_proc_show()
    - drm/client: Fix memory leak in drm_client_target_cloned
    - drm/client: Fix memory leak in drm_client_modeset_probe
    - ext4: correct inline offset when handling xattrs in inode body
    - debugobjects: Recheck debug_objects_enabled before reporting
    - nbd: Add the maximum limit of allocated index in nbd_dev_add
    - md: fix data corruption for raid456 when reshape restart while grow up
    - md/raid10: prevent soft lockup while flush writes
    - posix-timers: Ensure timer ID search-loop limit is valid
    - arm64: mm: fix VA-range sanity check
    - sched/fair: Don't balance task to its current running CPU
    - bpf: Address KCSAN report on bpf_lru_list
    - devlink: report devlink_port_type_warn source device
    - wifi: wext-core: Fix -Wstringop-overflow warning in
      ioctl_standard_iw_point()
    - wifi: iwlwifi: mvm: avoid baid size integer overflow
    - igb: Fix igb_down hung on surprise removal
    - spi: bcm63xx: fix max prepend length
    - fbdev: imxfb: warn about invalid left/right margin
    - pinctrl: amd: Use amd_pinconf_set() for all config options
    - net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field()
    - iavf: Fix use-after-free in free_netdev
    - net:ipv6: check return value of pskb_trim()
    - Revert "tcp: avoid the lookup process failing to get sk in ehash table"
    - fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe
    - llc: Don't drop packet from non-root netns.
    - netfilter: nf_tables: fix spurious set element insertion failure
    - netfilter: nf_tables: can't schedule in nft_chain_validate
    - tcp: annotate data-races around tp->tcp_tx_delay
    - net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX
    - tcp: annotate data-races around tp->linger2
    - tcp: annotate data-races around rskq_defer_accept
    - tcp: annotate data-races around tp->notsent_lowat
    - tcp: annotate data-races around fastopenq.max_qlen
    - tracing/histograms: Return an error if we fail to add histogram to hist_vars
      list
    - Linux 5.4.251

* Focal update: v5.4.250 upstream stable release (LP: #2033297)
    - x86/microcode/AMD: Load late on both threads too
    - Linux 5.4.250

* Focal update: v5.4.249 upstream stable release (LP: #2033278)
    - nilfs2: reject devices with insufficient block count
    - mm: rewrite wait_on_page_bit_common() logic
    - list: add "list_del_init_careful()" to go with "list_empty_careful()"
    - epoll: ep_autoremove_wake_function should use list_del_init_careful
    - tracing: Add tracing_reset_all_online_cpus_unlocked() function
    - x86/purgatory: remove PGO flags
    - tick/common: Align tick period during sched_timer setup
    - media: dvbdev: Fix memleak in dvb_register_device
    - media: dvbdev: fix error logic at dvb_register_device()
    - media: dvb-core: Fix use-after-free due to race at dvb_register_device()
    - nilfs2: fix buffer corruption due to concurrent device reads
    - Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs
    - PCI: hv: Fix a race condition bug in hv_pci_query_relations()
    - cgroup: Do not corrupt task iteration when rebinding subsystem
    - mmc: meson-gx: remove redundant mmc_request_done() call from irq context
    - ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN
    - writeback: fix dereferencing NULL mapping->host on writeback_page_template
    - nilfs2: prevent general protection fault in nilfs_clear_dirty_page()
    - cifs: Clean up DFS referral cache
    - cifs: Get rid of kstrdup_const()'d paths
    - cifs: Introduce helpers for finding TCP connection
    - cifs: Merge is_path_valid() into get_normalized_path()
    - cifs: Fix potential deadlock when updating vol in cifs_reconnect()
    - x86/mm: Avoid using set_pgd() outside of real PGD pages
    - ieee802154: hwsim: Fix possible memory leaks
    - xfrm: Linearize the skb after offloading if needed.
    - net: qca_spi: Avoid high load if QCA7000 is not available
    - mmc: mtk-sd: fix deferred probing
    - mmc: mvsdio: convert to devm_platform_ioremap_resource
    - mmc: mvsdio: fix deferred probing
    - mmc: omap: fix deferred probing
    - mmc: omap_hsmmc: fix deferred probing
    - mmc: sdhci-acpi: fix deferred probing
    - mmc: sh_mmcif: fix deferred probing
    - mmc: usdhi60rol0: fix deferred probing
    - ipvs: align inner_mac_header for encapsulation
    - net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch
    - be2net: Extend xmit workaround to BE3 chip
    - netfilter: nf_tables: disallow element updates of bound anonymous sets
    - netfilter: nfnetlink_osf: fix module autoload
    - Revert "net: phy: dp83867: perform soft reset and retain established link"
    - sch_netem: acquire qdisc lock in netem_change()
    - scsi: target: iscsi: Prevent login threads from racing between each other
    - HID: wacom: Add error check to wacom_parse_and_register()
    - arm64: Add missing Set/Way CMO encodings
    - media: cec: core: don't set last_initiator if tx in progress
    - nfcsim.c: Fix error checking for debugfs_create_dir
    - usb: gadget: udc: fix NULL dereference in remove()
    - s390/cio: unregister device when the only path is gone
    - ASoC: nau8824: Add quirk to active-high jack-detect
    - ARM: dts: Fix erroneous ADS touchscreen polarities
    - drm/exynos: vidi: fix a wrong error return
    - drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl
    - drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl
    - x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys
    - i2c: imx-lpi2c: fix type char overflow issue when calculating the clock
      cycle
    - mm: fix VM_BUG_ON(PageTail) and BUG_ON(PageWriteback)
    - mm: make wait_on_page_writeback() wait for multiple pending writebacks
    - Linux 5.4.249

* allow io_uring to be disabled in runtime (LP: #2035116)
    - io_uring: add a sysctl to disable io_uring system-wide

* CVE-2023-31083
    - Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO

* CVE-2023-4132
    - media: usb: siano: Fix warning due to null work_func_t function pointer

* CVE-2023-3772
    - xfrm: add NULL check in xfrm_update_ae_params

* CVE-2023-0597
    - random32: add noise from network and scheduling activity
    - x86/kasan: Map shadow for percpu pages on demand
    - x86/mm: Randomize per-cpu entry area
    - x86/mm: Recompute physical address for every page of per-CPU CEA mapping
    - x86/mm: Populate KASAN shadow for entire per-CPU range of CPU entry area
    - x86/mm: Do not shuffle CPU entry areas without KASLR

-- Roxana Nicolescu <roxana.nicolescu@canonical.com>  Mon, 02 Oct 2023 12:18:58 +0200

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package