-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Feb 2025 10:43:47 +0100
Source: linux
Architecture: source
Version: 6.1.128-1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1093243 1094766
Changes:
linux (6.1.128-1) bookworm-security; urgency=high
.
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.125
- ceph: give up on paths longer than PATH_MAX (CVE-2024-53685)
- bpf, sockmap: Fix race between element replace and close()
(CVE-2024-56664)
- sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers
(CVE-2024-53128)
- jbd2: increase IO priority for writing revoke records
- jbd2: flush filesystem device before updating tail sequence
- dm array: fix releasing a faulty array block twice in dm_array_cursor_end
- dm array: fix unreleased btree blocks on closing a faulty array cursor
- dm array: fix cursor index when skipping across block boundaries
- exfat: fix the infinite loop in exfat_readdir()
- exfat: fix the infinite loop in __exfat_free_cluster()
- scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and
transitivity
- net: 802: LLC+SNAP OID:PID lookup on start of skb data
- tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog
- tcp/dccp: allow a connection when sk_max_ack_backlog is zero
- net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute
- bnxt_en: Fix possible memory leak when hwrm_req_replace fails
- cxgb4: Avoid removal of uninserted tid
- ice: fix incorrect PHY settings for 100 GB/s
- tls: Fix tls_sw_sendmsg error handling
- Bluetooth: hci_sync: Fix not setting Random Address when required
- tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset
- netfilter: nf_tables: imbalance in flowtable binding
- netfilter: conntrack: clamp maximum hashtable size to INT_MAX
- sched: sch_cake: add bounds checks to host bulk flow fairness counts
- net/mlx5: Fix variable not being completed when function returns
- ksmbd: fix a missing return value check bug
- afs: Fix the maximum cell name length
- ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked
- dm thin: make get_first_thin use rcu-safe list first function
- dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY
- sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
- sctp: sysctl: rto_min/max: avoid using current->nsproxy
- sctp: sysctl: auth_enable: avoid using current->nsproxy
- sctp: sysctl: udp_port: avoid using current->nsproxy
- sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy
- drm/amd/display: Add check for granularity in dml ceil/floor helpers
- thermal: of: fix OF node leak in of_thermal_zone_find()
- ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[]
- ACPI: resource: Add Asus Vivobook X1504VAP to
irq1_level_low_skip_override[]
- drm/amd/display: increase MAX_SURFACES to the value supported by hw
- dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take
2)
- bpf: Add MEM_WRITE attribute
- bpf: Fix overloading of MEM_UNINIT's meaning (CVE-2024-50164)
- USB: serial: option: add MeiG Smart SRM815
- USB: serial: option: add Neoway N723-EA support
- usb-storage: Add max sectors quirk for Nokia 208
- USB: serial: cp210x: add Phoenix Contact UPS Device
- usb: dwc3: gadget: fix writing NYET threshold
- topology: Keep the cpumask unchanged when printing cpumap
- usb: gadget: u_serial: Disable ep before setting port to null to fix the
crash caused by port being null
- usb: dwc3-am62: Disable autosuspend during remove
- USB: usblp: return error when setting unsupported protocol
- USB: core: Disable LPM only for non-suspended ports
- usb: fix reference leak in usb_new_device()
- usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints
- usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
- iio: light: vcnl4035: fix information leak in triggered buffer
- iio: imu: kmx61: fix information leak in triggered buffer
- iio: gyro: fxas21002c: Fix missing data update in trigger handler
- iio: inkern: call iio_device_put() only on mapped devices
- io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period
- block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
- of/address: Add support for 3 address cell bus
- of: address: Fix address translation when address-size is greater than 2
- of: address: Remove duplicated functions
- of: address: Store number of bus flag cells rather than bool
- of: address: Preserve the flags portion on 1:1 dma-ranges mapping
- ocfs2: correct return value of ocfs2_local_free_info()
- ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
(CVE-2024-57892)
- drm: bridge: adv7511: use dev_err_probe in probe function
- drm: adv7511: Fix use-after-free in adv7533_attach_dsi() (CVE-2024-57887)
- xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.126
- Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM
conditionals
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.127
- [arm64,armhf] net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()
- bpf: Fix bpf_sk_select_reuseport() memory leak
- openvswitch: fix lockup on tx to unregistering netdev with carrier
- pktgen: Avoid out-of-bounds access in get_imix_entries
- net: add exit_batch_rtnl() method
- gtp: use exit_batch_rtnl() method
- gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp().
- gtp: Destroy device along with udp socket's netns dismantle.
- nfp: bpf: prevent integer overflow in nfp_bpf_event_output()
- net/mlx5: Fix RDMA TX steering prio
- net/mlx5: Clear port select structure when fail to create
- [arm64] drm/v3d: Ensure job pointer is set to NULL after job completion
- hwmon: (tmp513) Fix division of negative numbers
- Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data"
- i2c: mux: demux-pinctrl: check initial mux selection, too
- i2c: rcar: fix NACK handling when being a target
- nvmet: propagate npwg topology
- mac802154: check local interfaces before deleting sdata list
- hfs: Sanity check the root record
- fs: fix missing declaration of init_files
- kheaders: Ignore silly-rename files
- cachefiles: Parse the "secctx" immediately
- scsi: ufs: core: Honor runtime/system PM levels if set by host controller
drivers
- ACPI: resource: acpi_dev_irq_override(): Check DMI match last
- iomap: avoid avoid truncating 64-bit offset to 32 bits
- poll_wait: add mb() to fix theoretical race between waitqueue_active() and
.poll()
- [x86] asm: Make serialize() always_inline
- ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA
- zram: fix potential UAF of zram table
- mptcp: be sure to send ack when mptcp-level window re-opens
- net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
- vsock/virtio: discard packets if the transport changes
- vsock/virtio: cancel close work in the destructor
- vsock: reset socket state when de-assigning the transport
- vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
- filemap: avoid truncating 64-bit offset to 32 bits
- fs/proc: fix softlockup in __read_vmcore (part 2)
- gpiolib: cdev: Fix use after free in lineinfo_changed_notify
(CVE-2024-36899)
- [arm64] pmdomain: imx8mp-blk-ctrl: add missing loop break condition
- irqchip: Plug a OF node reference leak in platform_irqchip_probe()
- irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly
- irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity()
- hrtimers: Handle CPU state correctly on hotplug
- [x86] drm/i915/fb: Relax clear color alignment to 64 bytes
- Revert "PCI: Use preserve_config in place of pci_flags"
- iio: imu: inv_icm42600: fix spi burst write not supported
- iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on
- [arm64,armhf] iio: adc: rockchip_saradc: fix information leak in triggered
buffer (CVE-2024-57907)
- drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'
(CVE-2024-56608)
- drm/amdgpu: fix usage slab after free (CVE-2024-56551)
- block: fix uaf for flush rq while iterating tags (CVE-2024-53170)
- Revert "drm/amdgpu: rework resume handling for display (v2)"
(Closes: #1094766)
- RDMA/rxe: Fix the qp flush warnings in req (CVE-2024-53229)
- scsi: sg: Fix slab-use-after-free read in sg_release() (CVE-2024-56631)
- Revert "regmap: detach regmap from dev on regmap_exit"
- wifi: ath10k: avoid NULL pointer error during sdio remove (CVE-2024-56599)
- erofs: tidy up EROFS on-disk naming
- erofs: handle NONHEAD !delta[1] lclusters gracefully
- nfsd: add list_head nf_gc to struct nfsd_file
- [x86] xen: fix SLS mitigation in xen_hypercall_iret()
- net: fix data-races around sk->sk_forward_alloc (CVE-2024-53124)
https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.128
- scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS
request
- drm/amd/display: Use HW lock mgr for PSR1
- [arm64,armhf] irqchip/sunxi-nmi: Add missing SKIP_WAKE flag
- regmap: detach regmap from dev on regmap_exit
- ipv6: Fix soft lockups in fib6_select_path under high next hop churn
(CVE-2024-56703)
- softirq: Allow raising SCHED_SOFTIRQ from SMP-call-function on RT kernel
- xfs: bump max fsgeom struct version
- xfs: hoist freeing of rt data fork extent mappings
- xfs: prevent rt growfs when quota is enabled
- xfs: rt stubs should return negative errnos when rt disabled
- xfs: fix units conversion error in xfs_bmap_del_extent_delay
- xfs: make sure maxlen is still congruent with prod when rounding down
- xfs: introduce protection for drop nlink
- xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space
- xfs: allow read IO and FICLONE to run concurrently
- xfs: factor out xfs_defer_pending_abort
- xfs: abort intent items when recovery intents fail
- xfs: only remap the written blocks in xfs_reflink_end_cow_extent
- xfs: up(ic_sema) if flushing data device fails
- xfs: fix internal error from AGFL exhaustion
- xfs: inode recovery does not validate the recovered inode
- xfs: clean up dqblk extraction
- xfs: dquot recovery does not validate the recovered dquot
- xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags
- xfs: respect the stable writes flag on the RT device
- gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
- io_uring: fix waiters missing wake ups (Closes: #1093243)
- net: sched: fix ets qdisc OOB Indexing
- block: fix integer overflow in BLKSECDISCARD (CVE-2024-49994)
- Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad"
- vfio/platform: check the bounds of read/write syscalls
- ext4: fix access to uninitialised lock in fc replay path (CVE-2024-50014)
- ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find()
(CVE-2024-50304)
- scsi: storvsc: Ratelimit warning logs to prevent VM denial of service
- wifi: iwlwifi: add a few rate index validity checks
- smb: client: fix UAF in async decryption (CVE-2024-50047)
- USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb()
- Revert "usb: gadget: u_serial: Disable ep before setting port to null to
fix the crash caused by port being null"
- ALSA: usb-audio: Add delay quirk for USB Audio Device
- Input: atkbd - map F23 key to support default copilot shortcut
- Input: xpad - add unofficial Xbox 360 wireless receiver clone
- Input: xpad - add support for wooting two he (arm)
- smb: client: fix NULL ptr deref in crypto_aead_setkey()
- [arm64] drm/v3d: Assign job pointer to NULL before signaling the fence
.
[ Salvatore Bonaccorso ]
* Bump ABI to 31
* [rt] Update to 6.1.127-rt48
Checksums-Sha1:
e5025e8631c636a277dba8e55320a99b9ea9079b 290931 linux_6.1.128-1.dsc
e97e590b7d74a7a9e84dedd5249768e0ece882f4 137734772 linux_6.1.128.orig.tar.xz
5fdc669e7b970343f87d4388c0dd1e8c593c31c2 1719136 linux_6.1.128-1.debian.tar.xz
44c6b5f6aaaf4993260a1d4cd1676309c79697f9 7316 linux_6.1.128-1_source.buildinfo
Checksums-Sha256:
25cff6a2009656b08a8b2b194ce67a7796d517f969c5488674e02000966e5ca5 290931 linux_6.1.128-1.dsc
effdc7e295e24730faff768c85e3eeb4a4550e412980fb25b2470f41c4e8942c 137734772 linux_6.1.128.orig.tar.xz
a978deb685e2566962043f2bf17f5fc0b7a333e1d5b65df59476f5987a3c61b7 1719136 linux_6.1.128-1.debian.tar.xz
f547c6efa61925d00386bff0b7f2ee89ceb56cb5852ab2d5cdec747bb4ff8cbd 7316 linux_6.1.128-1_source.buildinfo
Files:
0e0a3c0208e3397a82a1159ad175911d 290931 kernel optional linux_6.1.128-1.dsc
31d4aebe75ed57764db51cc84c636a13 137734772 kernel optional linux_6.1.128.orig.tar.xz
91ff3d1f67fab8eb29cdf9e399266318 1719136 kernel optional linux_6.1.128-1.debian.tar.xz
5ef8ac28d36e90c293737797ae8cc78d 7316 kernel optional linux_6.1.128-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmel1rFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E36QP/3G9E8IDdGIRBSRdDfXFea8ZTlWWTfiC
atdJozuCt++Qsd9lYNsnbz+HKDGnKdXVu57kcL+J3W37mweHbRRg2dFX3f1jSkn1
1e1s2DADecFgv4DMPvwYb5MJj3zhB5qNoHE3AxZPRottt9MHytfNmL6/KbBnk0V2
l1YiAW/+AgCxxNj9njJIhO0mI16K8oKdNqBmUftZ5zbpV35LbuXzvpYgeG0ae4oc
aQm7wjA5u5r9RvjziURNOCX8XgnNvv9jq6/sKYefAatlEXyJGRSlB7OL/jhgkm1K
JM0H2tqrrEvICBWISnaKbVvmECIZQxSHRjBBMAJ0WUXcVri49vbGT5gO+NLMOK0Q
tB6BE+j/wseA4EdWvupQYPIvAAYWLxck7Jh39bHw5vj3T17T+JguqUVLR9DGnHZE
4wEG77wG4MY41YJLDLJ1u9kCqTFSCVhHrIpYhMQYX/kUt8xjmh8tOWBFnyTrgncK
XBVSdmf/+xVVEHi8O9O+iKkEopj8YjYoQN5wJTmzPP5xfIV6yJ4RACqJ+WAEY8Uk
E2Ung3kyv6WYvePflREEhAZN50kP0JceOmUsB+vb/NUNcpRwsilM+deH2/ke628u
iwcu4VClwh2nPMf8dm8wu+wO+s04MDwQq58WC8Tkvt7dEgix3wJak1xAQ1H0X1uo
3TGJz0bMrWxh
=/h2v
-----END PGP SIGNATURE-----