Format: 1.8
Date: Fri, 10 May 2024 10:32:13 -0400
Source: linux-aws
Architecture: source
Version: 5.4.0-1126.136
Distribution: focal
Urgency: medium
Maintainer: Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
Changed-By: Philip Cox <philip.cox@canonical.com>
Launchpad-Bugs-Fixed: 2040948 2058477 2060019 2060216 2061986 2063766 2063812
Changes:
 linux-aws (5.4.0-1126.136) focal; urgency=medium
 .
   * focal/linux-aws: 5.4.0-1126.136 -proposed tracker (LP: #2063766)
 .
   [ Ubuntu: 5.4.0-186.206 ]
 .
   * focal/linux: 5.4.0-186.206 -proposed tracker (LP: #2063812)
   * Mount CIFS fails with Permission denied (LP: #2061986)
     - cifs: fix ntlmssp auth when there is no key exchange
   * USB stick can't be detected (LP: #2040948)
     - usb: Disable USB3 LPM at shutdown
   * CVE-2024-26733
     - net: dev: Convert sa_data to flexible array in struct sockaddr
     - arp: Prevent overflow in arp_req_get().
     - stddef: Introduce DECLARE_FLEX_ARRAY() helper
   * CVE-2024-26712
     - powerpc/kasan: Fix addr error caused by page alignment
   * CVE-2023-52530
     - wifi: mac80211: fix potential key use-after-free
   * CVE-2021-47063
     - drm: bridge/panel: Cleanup connector on bridge detach
   * [Ubuntu 22.04.4/linux-image-6.5.0-26-generic] Kernel output "UBSAN: array-
     index-out-of-bounds in /build/linux-hwe-6.5-34pCLi/linux-
     hwe-6.5-6.5.0/drivers/net/hyperv/netvsc.c:1445:41" multiple times,
     especially during boot. (LP: #2058477)
     - hv: hyperv.h: Replace one-element array with flexible-array member
   * CVE-2024-26614
     - tcp: make sure init the accept_queue's spinlocks once
     - ipv6: init the accept_queue's spinlocks in inet6_create
   * Focal update: v5.4.271 upstream stable release (LP: #2060216)
     - netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
     - net: ip_tunnel: prevent perpetual headroom growth
     - tun: Fix xdp_rxq_info's queue_index when detaching
     - ipv6: fix potential "struct net" leak in inet6_rtm_getaddr()
     - lan78xx: enable auto speed configuration for LAN7850 if no EEPROM is
       detected
     - net: usb: dm9601: fix wrong return value in dm9601_mdio_read
     - Bluetooth: Avoid potential use-after-free in hci_error_reset
     - Bluetooth: hci_event: Fix handling of HCI_EV_IO_CAPA_REQUEST
     - Bluetooth: Enforce validation on max value of connection interval
     - netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()
     - rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back
     - efi/capsule-loader: fix incorrect allocation size
     - power: supply: bq27xxx-i2c: Do not free non existing IRQ
     - ALSA: Drop leftover snd-rtctimer stuff from Makefile
     - afs: Fix endless loop in directory parsing
     - gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
     - wifi: nl80211: reject iftype change with mesh ID change
     - btrfs: dev-replace: properly validate device names
     - dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read
     - dmaengine: fsl-qdma: init irq after reg initialization
     - mmc: core: Fix eMMC initialization with 1-bit bus connection
     - x86/cpu/intel: Detect TME keyid bits before setting MTRR mask registers
     - cachefiles: fix memory leak in cachefiles_add_cache()
     - fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super
     - gpio: 74x164: Enable output pins after registers are reset
     - Linux 5.4.271
   * Focal update: v5.4.270 upstream stable release (LP: #2060019)
     - KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()
     - KVM: arm64: vgic-its: Test for valid IRQ in MOVALL handler
     - net/sched: Retire CBQ qdisc
     - [Config] updateconfigs for NET_SCH_CBQ
     - net/sched: Retire ATM qdisc
     - [Config] updateconfigs for NET_SCH_ATM
     - net/sched: Retire dsmark qdisc
     - [Config] updateconfigs for NET_SCH_DSMARK
     - sched/rt: sysctl_sched_rr_timeslice show default timeslice after reset
     - memcg: add refcnt for pcpu stock to avoid UAF problem in drain_all_stock()
     - nilfs2: replace WARN_ONs for invalid DAT metadata block requests
     - userfaultfd: fix mmap_changing checking in mfill_atomic_hugetlb
     - sched/rt: Fix sysctl_sched_rr_timeslice intial value
     - sched/rt: Disallow writing invalid values to sched_rt_period_us
     - scsi: target: core: Add TMF to tmr_list handling
     - dmaengine: shdma: increase size of 'dev_id'
     - dmaengine: fsl-qdma: increase size of 'irq_name'
     - wifi: cfg80211: fix missing interfaces when dumping
     - wifi: mac80211: fix race condition on enabling fast-xmit
     - fbdev: savage: Error out if pixclock equals zero
     - fbdev: sis: Error out if pixclock equals zero
     - ahci: asm1166: correct count of reported ports
     - ahci: add 43-bit DMA address quirk for ASMedia ASM1061 controllers
     - ext4: avoid allocating blocks from corrupted group in
       ext4_mb_try_best_found()
     - ext4: avoid allocating blocks from corrupted group in ext4_mb_find_by_goal()
     - regulator: pwm-regulator: Add validity checks in continuous .get_voltage
     - nvmet-tcp: fix nvme tcp ida memory leak
     - ASoC: sunxi: sun4i-spdif: Add support for Allwinner H616
     - netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in
       sctp_new
     - nvmet-fc: abort command when there is no binding
     - hwmon: (coretemp) Enlarge per package core count limit
     - scsi: lpfc: Use unsigned type for num_sge
     - firewire: core: send bus reset promptly on gap count error
     - virtio-blk: Ensure no requests in virtqueues before deleting vqs.
     - s390/qeth: Fix potential loss of L3-IP@ in case of network issues
     - pmdomain: renesas: r8a77980-sysc: CR7 must be always on
     - tcp: factor out __tcp_close() helper
     - tcp: return EPOLLOUT from tcp_poll only when notsent_bytes is half the limit
     - tcp: add annotations around sk->sk_shutdown accesses
     - pinctrl: pinctrl-rockchip: Fix a bunch of kerneldoc misdemeanours
     - pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
     - spi: mt7621: Fix an error message in mt7621_spi_probe()
     - net: bridge: clear bridge's private skb space on xmit
     - selftests/bpf: Avoid running unprivileged tests with alignment requirements
     - Revert "drm/sun4i: dsi: Change the start delay calculation"
     - drm/amdgpu: Check for valid number of registers to read
     - x86/alternatives: Disable KASAN in apply_alternatives()
     - dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata()
     - iomap: Set all uptodate bits for an Uptodate page
     - drm/amdgpu: Fix type of second parameter in trans_msg() callback
     - arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node
     - PCI: tegra: Fix reporting GPIO error value
     - PCI: tegra: Fix OF node reference leak
     - IB/hfi1: Fix sdma.h tx->num_descs off-by-one error
     - dm-crypt: don't modify the data when using authenticated encryption
     - gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()
     - PCI/MSI: Prevent MSI hardware interrupt number truncation
     - l2tp: pass correct message length to ip6_append_data
     - ARM: ep93xx: Add terminator to gpiod_lookup_table
     - usb: cdns3: fixed memory use after free at cdns3_gadget_ep_disable()
     - usb: cdns3: fix memory double free when handle zero packet
     - usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs
     - usb: roles: don't get/set_role() when usb_role_switch is unregistered
     - IB/hfi1: Fix a memleak in init_credit_return
     - RDMA/bnxt_re: Return error for SRQ resize
     - RDMA/srpt: Make debug output more detailed
     - RDMA/srpt: fix function pointer cast warnings
     - scripts/bpf: teach bpf_helpers_doc.py to dump BPF helper definitions
     - bpf, scripts: Correct GPL license name
     - scsi: jazz_esp: Only build if SCSI core is builtin
     - nouveau: fix function cast warnings
     - ipv4: properly combine dev_base_seq and ipv4.dev_addr_genid
     - ipv6: properly combine dev_base_seq and ipv6.dev_addr_genid
     - afs: Increase buffer size in afs_update_volume_status()
     - ipv6: sr: fix possible use-after-free and null-ptr-deref
     - packet: move from strlcpy with unused retval to strscpy
     - s390: use the correct count for __iowrite64_copy()
     - tls: rx: jump to a more appropriate label
     - tls: rx: drop pointless else after goto
     - tls: stop recv() if initial process_rx_list gave us non-DATA
     - netfilter: nf_tables: set dormant flag on hook register failure
     - drm/syncobj: make lockdep complain on WAIT_FOR_SUBMIT v3
     - drm/syncobj: call drm_syncobj_fence_add_wait when WAIT_AVAILABLE flag is set
     - fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio
     - scripts/bpf: Fix xdp_md forward declaration typo
     - Linux 5.4.270
   * CVE-2023-47233
     - wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
   * CVE-2021-47070
     - uio: uio_hv_generic: use devm_kzalloc() for private data alloc
     - uio_hv_generic: Fix another memory leak in error handling paths
   * CVE-2024-26622
     - tomoyo: fix UAF write bug in tomoyo_write_control()
Checksums-Sha1:
 d2aa156dc652955397e0308c145b2ea7f1ddb89f 4218 linux-aws_5.4.0-1126.136.dsc
 fc828c4d6b036522c79c8555177a01acefd8882a 10645742 linux-aws_5.4.0-1126.136.diff.gz
 e01b0a14a2fc64955f9e96883c097c4cab6ee9a1 10414 linux-aws_5.4.0-1126.136_source.buildinfo
Checksums-Sha256:
 d4176ee34bb53f41ec5dfedefd0b466503da950aa2989a597eb0cf1a833d4c04 4218 linux-aws_5.4.0-1126.136.dsc
 f7957d62101e86db6e2d92bc75e0f1d17a3b86eef095d925d49d0929ef5e9e17 10645742 linux-aws_5.4.0-1126.136.diff.gz
 835aaa7d6717ce92c8102f53ed1c3a3f29dc41df3dc799751f1847230b831e71 10414 linux-aws_5.4.0-1126.136_source.buildinfo
Files:
 442c7d8d45f9dcc3728ece97f89adacb 4218 devel optional linux-aws_5.4.0-1126.136.dsc
 ce87b4250ce48f57ac9513e28a900146 10645742 devel optional linux-aws_5.4.0-1126.136.diff.gz
 18ebc7e6e94d3adcfffce05eea38626d 10414 devel optional linux-aws_5.4.0-1126.136_source.buildinfo
Ubuntu-Compatible-Signing: ubuntu/4 pro/3