Package "linux"

  linux (5.4.0-218.238) focal; urgency=medium

  * focal/linux: 5.4.0-218.238 -proposed tracker (LP: #2110876)

  * Rotate the Canonical Livepatch key (LP: #2111244)
    - [Config] Prepare for Canonical Livepatch key rotation

  * CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
    (LP: #2099914) // CVE-2025-2312
    - CIFS: New mount option for cifs.upcall namespace resolution

  * Focal update: v5.4.292 upstream stable release (LP: #2109357)
    - vlan: fix memory leak in vlan_newlink()
    - clockevents/drivers/i8253: Fix stop sequence for timer 0
    - sched/isolation: Prevent boot crash when the boot CPU is nohz_full
    - Revert "UBUNTU: SAUCE: sctp: sysctl: pass right argument to container_of"
    - Revert "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy"
    - Revert "sctp: sysctl: auth_enable: avoid using current->nsproxy"
    - sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
    - sctp: sysctl: auth_enable: avoid using current->nsproxy
    - pinctrl: bcm281xx: Fix incorrect regmap max_registers value
    - netpoll: Fix use correct return type for ndo_start_xmit()
    - netpoll: remove dev argument from netpoll_send_skb_on_dev()
    - netpoll: move netpoll_send_skb() out of line
    - netpoll: netpoll_send_skb() returns transmit status
    - netpoll: hold rcu read lock in __netpoll_send_skb()
    - drivers/hv: Replace binary semaphore with mutex
    - Drivers: hv: vmbus: Don't release fb_mmio resource in vmbus_free_mmio()
    - ipvs: prevent integer overflow in do_ip_vs_get_ctl()
    - netfilter: nft_exthdr: fix offset with ipv4_find_option()
    - net/mlx5e: Prevent bridge link show failure for non-eswitch-allowed devices
    - nvme-fc: go straight to connecting state when initializing
    - hrtimers: Mark is_migration_base() with __always_inline
    - powercap: call put_device() on an error path in
      powercap_register_control_type()
    - ACPI: resource: IRQ override for Eluktronics MECH-17
    - HID: intel-ish-hid: fix the length of MNG_SYNC_FW_CLOCK in doorbell
    - s390/cio: Fix CHPID "configure" attribute caching
    - ASoC: rsnd: don't indicate warning on rsnd_kctrl_accept_runtime()
    - nvmet-rdma: recheck queue state is LIVE in state lock in recv done
    - sctp: Fix undefined behavior in left shift operation
    - nvme: only allow entering LIVE from CONNECTING state
    - fuse: don't truncate cached, mutated symlink
    - x86/irq: Define trace events conditionally
    - drm/nouveau: Do not override forced connector status
    - block: fix 'kmem_cache of name 'bio-108' already exists'
    - USB: serial: ftdi_sio: add support for Altera USB Blaster 3
    - USB: serial: option: add Telit Cinterion FE990B compositions
    - USB: serial: option: fix Telit Cinterion FE990A name
    - USB: serial: option: match on interface class for Telit FN990B
    - drm/atomic: Filter out redundant DPMS calls
    - qlcnic: fix memory leak issues in qlcnic_sriov_common.c
    - drm/gma500: Add NULL check for pci_gfx_root in mid_get_vbt_data()
    - ASoC: codecs: wm0010: Fix error handling path in wm0010_spi_probe()
    - i2c: ali1535: Fix an error handling path in ali1535_probe()
    - i2c: ali15x3: Fix an error handling path in ali15x3_probe()
    - i2c: sis630: Fix an error handling path in sis630_probe()
    - firmware: imx-scu: fix OF node leak in .probe()
    - xfrm_output: Force software GSO only in tunnel mode
    - RDMA/bnxt_re: Avoid clearing VLAN_ID mask in modify qp path
    - RDMA/hns: Fix wrong value of max_sge_rd
    - ipv6: Set errno after ip_fib_metrics_init() in ip6_route_info_create().
    - net/neighbor: add missing policy for NDTPA_QUEUE_LENBYTES
    - i2c: omap: fix IRQ storms
    - drm/v3d: Don't run jobs that have errors flagged in its fence
    - mmc: atmel-mci: Add missing clk_disable_unprepare()
    - ARM: shmobile: smp: Enforce shmobile_smp_* alignment
    - batman-adv: Ignore own maximum aggregation size during RX
    - ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names
    - HID: hid-plantronics: Add mic mute mapping and generalize quirks
    - ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed()
    - ARM: 9351/1: fault: Add "cut here" line for prefetch aborts
    - ARM: Remove address checking for MMUless devices
    - counter: stm32-lptimer-cnt: fix error handling when enabling
    - tty: serial: 8250: Add some more device IDs
    - net: usb: qmi_wwan: add Telit Cinterion FN990B composition
    - net: usb: qmi_wwan: add Telit Cinterion FE990B composition
    - net: usb: usbnet: restore usb%d name exception for local mac addresses
    - serial: 8250_dma: terminate correct DMA in tx_dma_flush()
    - x86/mm/pat: cpa-test: fix length for CPA_ARRAY test
    - cpufreq: governor: Fix negative 'idle_time' handling in dbs_update()
    - x86/fpu: Avoid copying dynamic FP state from init_task in
      arch_dup_task_struct()
    - x86/platform: Only allow CONFIG_EISA for 32-bit
    - [Config] updateconfigs for HAVE_EISA
    - selinux: Chain up tool resolving errors in install_policy.sh
    - EDAC/ie31200: Fix the size of EDAC_MC_LAYER_CHIP_SELECT layer
    - EDAC/ie31200: Fix the DIMM size mask for several SoCs
    - EDAC/ie31200: Fix the error path order of ie31200_init()
    - PM: sleep: Fix handling devices with direct_complete set on errors
    - lockdep: Don't disable interrupts on RT in disable_irq_nosync_lockdep.*()
    - perf/ring_buffer: Allow the EPOLLRDNORM flag for poll
    - ALSA: hda/realtek: Always honor no_shutup_pins
    - drm/mediatek: mtk_hdmi: Fix typo for aud_sampe_size member
    - PCI/portdrv: Only disable pciehp interrupts early when needed
    - PCI: Remove stray put_device() in pci_register_host_bridge()
    - PCI: pciehp: Don't enable HPIE when resuming in poll mode
    - fbdev: au1100fb: Move a variable assignment behind a null pointer check
    - mdacon: rework dependency list
    - fbdev: sm501fb: Add some geometry checks.
    - clk: amlog

  linux (5.4.0-216.236) focal; urgency=medium

  * focal/linux: 5.4.0-216.236 -proposed tracker (LP: #2106869)

  * CVE-2023-52741
    - cifs: Fix use-after-free in rdata->read_into_pages()

  * CVE-2021-47191
    - scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()

  * iommu/arm-smmu-v3: Don't reserve implementation defined register space
    (LP: #2067864)
    - iommu/arm-smmu-v3: Don't reserve implementation defined register space

  * CVE-2025-21971
    - net_sched: Prevent creation of classes with TC_H_ROOT

  * CVE-2024-56599
    - wifi: ath10k: avoid NULL pointer error during sdio remove

  * Focal update: v5.4.291 upstream stable release (LP: #2106002)
    - perf cs-etm: Add missing variable in cs_etm__process_queues()
    - udf: Fix use of check_add_overflow() with mixed type arguments
    - overflow: Add __must_check attribute to check_*() helpers
    - overflow: Correct check_shl_overflow() comment
    - overflow: Allow mixed type arguments
    - afs: Fix directory format encoding struct
    - partitions: ldm: remove the initial kernel-doc notation
    - drm/etnaviv: Fix page property being used for non writecombine buffers
    - wifi: rtlwifi: do not complete firmware loading needlessly
    - rtlwifi: rtl8192se Rename RT_TRACE to rtl_dbg
    - wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last step
    - wifi: rtlwifi: usb: fix workqueue leak when probe fails
    - dt-bindings: mmc: controller: clarify the address-cells description
    - rtlwifi: replace usage of found with dedicated list iterator variable
    - wifi: rtlwifi: remove unused timer and related code
    - wifi: rtlwifi: remove unused dualmac control leftovers
    - wifi: rtlwifi: pci: wait for firmware loading before releasing memory
    - cpupower: fix TSC MHz calculation
    - regulator: of: Implement the unwind path of of_regulator_match()
    - wifi: wlcore: fix unbalanced pm_runtime calls
    - selftests/harness: Display signed values correctly
    - selftests: harness: fix printing of mismatch values in __EXPECT()
    - clk: analogbits: Fix incorrect calculation of vco rate delta
    - net/mlxfw: Drop hard coded max FW flash image size
    - tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server bind
    - ASoC: sun4i-spdif: Add clock multiplier settings
    - perf header: Fix one memory leakage in process_bpf_btf()
    - perf header: Fix one memory leakage in process_bpf_prog_info()
    - ktest.pl: Remove unused declarations in run_bisect_test function
    - padata: fix sysfs store callback check
    - perf top: Don't complain about lack of vmlinux when not resolving some
      kernel samples
    - perf report: Fix misleading help message about --demangle
    - RDMA/mlx4: Avoid false error about access to uninitialized gids array
    - arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property
    - arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names
    - ARM: dts: mediatek: mt7623: fix IR nodename
    - fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device()
    - media: rc: iguanair: handle timeouts
    - media: lmedm04: Use GFP_KERNEL for URB allocation/submission.
    - media: lmedm04: Handle errors for lme2510_int_read
    - PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy()
    - media: mipi-csis: Add check for clk_enable()
    - media: camif-core: Add check for clk_enable()
    - media: uvcvideo: Propagate buf->error to userspace
    - staging: media: imx: fix OF node leak in imx_media_add_of_subdevs()
    - scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1
    - scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails
    - ocfs2: mark dquot as inactive if failed to start trans while releasing dquot
    - module: Extend the preempt disabled section in
      dereference_symbol_descriptor().
    - dmaengine: ti: edma: fix OF node reference leaks in edma_driver
    - net: fec: implement TSO descriptor cleanup
    - PM: hibernate: Add error handling for syscore_suspend()
    - perf trace: Fix runtime error of index out of bounds
    - vsock: Allow retrying on connect() failure
    - net: sh_eth: Fix missing rtnl lock in suspend/resume path
    - genksyms: fix memory leak when the same symbol is added from source
    - genksyms: fix memory leak when the same symbol is read from *.symref file
    - hexagon: fix using plain integer as NULL pointer warning in cmpxchg
    - hexagon: Fix unbalanced spinlock in die()
    - NFSD: Reset cb_seq_status after NFS4ERR_DELAY
    - ktest.pl: Check kernelrelease return in get_version
    - drivers/card_reader/rtsx_usb: Restore interrupt based detection
    - usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to PD_T_SENDER_RESPONSE
    - btrfs: output the reason for open_ctree() failure
    - btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error handling
    - sched: Don't try to catch up excess steal time.
    - x86/amd_nb: Restrict init function to AMD-based systems
    - tun: fix group permission check
    - mmc: core: Respect quirk_max_rate for non-UHS SDIO card
    - mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id
    - HID: Wacom: Add PCI Wacom device support
    - APEI: GHES: Have GHES honor the panic= setting
    - x86/mm: Don't disable PCID when INVLPG has been fixed by microcode
    - spi-mxs: Fix chipselect glitch
    - nilfs2: move page release outside of nilfs_delete_entry and nilfs_set_link
    - nilfs2: eliminate staggered calls to kunmap in nilfs_rename
    - media: uvcvideo: Only save async fh if success
    - kbuild: userprogs: use correct lld when linking through clang
    - tasklet: Introduce new initialization API
    - net: usb: rtl8150: use new tasklet API
    - usb: xhci: Add timeout argument in address_device USB HCD callback
    - nvme: handle connectivity loss in nvme_set_queue_count
    - firmware: iscsi_ibft: fix ISCSI_IBFT Kconfig entry
    - gpu: drm_dp_cec: fix broken CEC adapter properties check
   

  linux (5.4.0-214.234) focal; urgency=medium

  * focal/linux: 5.4.0-214.234 -proposed tracker (LP: #2102635)

  * CVE-2024-50256
    - netfilter: nf_reject_ipv6: fix potential crash in nf_send_reset6()

  * CVE-2025-21702
    - pfifo_tail_enqueue: Drop new packet when sch->limit == 0

  * CVE-2025-21703
    - netem: Update sch->q.qlen before qdisc_tree_reduce_backlog()

  * CVE-2024-26915
    - drm/amdgpu: Reset IH OVERFLOW_CLEAR bit

  * CVE-2025-21700
    - net: sched: Disallow replacing of child qdisc from one parent to another

  * CVE-2024-46826
    - ELF: fix kernel.randomize_va_space double read

  * CVE-2024-56651
    - can: hi311x: hi3110_can_ist(): fix potential use-after-free

  * CVE-2024-53237
    - driver core: Introduce device_find_any_child() helper
    - Bluetooth: fix use-after-free in device_for_each_child()

  * CVE-2024-35958
    - net: ena: Fix incorrect descriptor free behavior

  * CVE-2024-49974
    - NFSD: Limit the number of concurrent async COPY operations

  * CVE-2021-47119
    - ext4: fix memory leak in ext4_fill_super

  * CVE-2024-56658
    - net: defer final 'struct net' free in netns dismantle

  * CVE-2024-35864
    - smb: client: fix potential UAF in smb2_is_valid_lease_break()

  * CVE-2024-35864/CVE-2024-26928
    - smb: client: fix potential UAF in cifs_debug_files_proc_show()

 -- Stefan Bader <email address hidden> Fri, 14 Mar 2025 15:42:15 +0100

  linux (5.4.0-211.231) focal; urgency=medium

  * focal/linux: 5.4.0-211.231 -proposed tracker (LP: #2101996)

  * cve-2018-5803 kernel panic (LP: #2101091)
    - SAUCE: sctp: sysctl: pass right argument to container_of

  linux (5.4.0-210.230) focal; urgency=medium

  * focal/linux: 5.4.0-210.230 -proposed tracker (LP: #2098353)

  * Focal update: v5.4.290 upstream stable release (LP: #2098439)
    - jbd2: flush filesystem device before updating tail sequence
    - dm array: fix releasing a faulty array block twice in dm_array_cursor_end
    - dm array: fix unreleased btree blocks on closing a faulty array cursor
    - dm array: fix cursor index when skipping across block boundaries
    - ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe()
    - net: 802: LLC+SNAP OID:PID lookup on start of skb data
    - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
    - tcp/dccp: allow a connection when sk_max_ack_backlog is zero
    - net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
    - tls: Fix tls_sw_sendmsg error handling
    - dm thin: make get_first_thin use rcu-safe list first function
    - sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
    - sctp: sysctl: auth_enable: avoid using current->nsproxy
    - drm/amd/display: Add check for granularity in dml ceil/floor helpers
    - ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]
    - ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[]
    - drm/amd/display: increase MAX_SURFACES to the value supported by hw
    - USB: serial: option: add MeiG Smart SRM815
    - USB: serial: option: add Neoway N723-EA support
    - staging: iio: ad9834: Correct phase range check
    - staging: iio: ad9832: Correct phase range check
    - usb-storage: Add max sectors quirk for Nokia 208
    - USB: serial: cp210x: add Phoenix Contact UPS Device
    - usb: gadget: u_serial: Disable ep before setting port to null to fix the
      crash caused by port being null
    - USB: usblp: return error when setting unsupported protocol
    - USB: core: Disable LPM only for non-suspended ports
    - usb: fix reference leak in usb_new_device()
    - usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
    - iio: pressure: zpa2326: fix information leak in triggered buffer
    - iio: dummy: iio_simply_dummy_buffer: fix information leak in triggered
      buffer
    - iio: light: vcnl4035: fix information leak in triggered buffer
    - iio: imu: kmx61: fix information leak in triggered buffer
    - iio: adc: ti-ads8688: fix information leak in triggered buffer
    - iio: gyro: fxas21002c: Fix missing data update in trigger handler
    - iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
    - iio: adc: at91: call input_free_device() on allocated iio_dev
    - iio: inkern: call iio_device_put() only on mapped devices
    - arm64: dts: rockchip: fix defines in pd_vio node for rk3399
    - arm64: dts: rockchip: fix pd_tcpc0 and pd_tcpc1 node position on rk3399
    - arm64: dts: rockchip: add #power-domain-cells to power domain nodes
    - arm64: dts: rockchip: add hevc power domain clock to rk3328
    - phy: core: fix code style in devm_of_phy_provider_unregister
    - phy: core: Fix that API devm_of_phy_provider_unregister() fails to
      unregister the phy provider
    - ocfs2: correct return value of ocfs2_local_free_info()
    - ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
    - sctp: sysctl: rto_min/max: avoid using current->nsproxy
    - net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()
    - net: net_namespace: Optimize the code
    - net: add exit_batch_rtnl() method
    - gtp: use exit_batch_rtnl() method
    - gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().
    - gtp: Destroy device along with udp socket's netns dismantle.
    - nfp: bpf: prevent integer overflow in nfp_bpf_event_output()
    - drm/v3d: Ensure job pointer is set to NULL after job completion
    - i2c: mux: demux-pinctrl: check initial mux selection, too
    - mac802154: check local interfaces before deleting sdata list
    - hfs: Sanity check the root record
    - kheaders: Ignore silly-rename files
    - poll_wait: add mb() to fix theoretical race between waitqueue_active() and
      .poll()
    - nvmet: propagate npwg topology
    - net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
    - fs/proc: fix softlockup in __read_vmcore (part 2)
    - irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly
    - hrtimers: Handle CPU state correctly on hotplug
    - ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev()
    - scsi: sg: Fix slab-use-after-free read in sg_release()
    - net: fix data-races around sk->sk_forward_alloc
    - ASoC: wm8994: Add depends on MFD core
    - scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request
    - irqchip/sunxi-nmi: Add missing SKIP_WAKE flag
    - gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
    - m68k: Update ->thread.esp0 before calling syscall_trace() in ret_from_signal
    - m68k: Add missing mmap_read_lock() to sys_cacheflush()
    - signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die
    - net: xen-netback: hash.c: Use built-in RCU list checking
    - net/xen-netback: prevent UAF in xenvif_flush_hash()
    - vfio/platform: check the bounds of read/write syscalls
    - ext4: avoid ext4_error()'s caused by ENOMEM in the truncate path
    - ext4: fix slab-use-after-free in ext4_split_extent_at()
    - USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
    - Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix
      the crash caused by port being null"
    - Input: atkbd - map F23 key to support default copilot shortcut
    - Input: xpad - add unofficial Xbox 360 wireless receiver clone
    - Input: xpad - add support for wooting two he (arm)
    - drm/v3d: Assign job pointer to NULL before signaling the fence
    - xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals
    - Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM
      conditionals
    - Linux 5.4.290

  * CVE-2021-47219
    - scsi: sc