-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 07 Feb 2025 10:43:47 +0100 Source: linux Architecture: source Version: 6.1.128-1 Distribution: bookworm-security Urgency: high Maintainer: Debian Kernel Team Changed-By: Salvatore Bonaccorso Closes: 1093243 1094766 Changes: linux (6.1.128-1) bookworm-security; urgency=high . * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.125 - ceph: give up on paths longer than PATH_MAX (CVE-2024-53685) - bpf, sockmap: Fix race between element replace and close() (CVE-2024-56664) - sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers (CVE-2024-53128) - jbd2: increase IO priority for writing revoke records - jbd2: flush filesystem device before updating tail sequence - dm array: fix releasing a faulty array block twice in dm_array_cursor_end - dm array: fix unreleased btree blocks on closing a faulty array cursor - dm array: fix cursor index when skipping across block boundaries - exfat: fix the infinite loop in exfat_readdir() - exfat: fix the infinite loop in __exfat_free_cluster() - scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity - net: 802: LLC+SNAP OID:PID lookup on start of skb data - tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog - tcp/dccp: allow a connection when sk_max_ack_backlog is zero - net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute - bnxt_en: Fix possible memory leak when hwrm_req_replace fails - cxgb4: Avoid removal of uninserted tid - ice: fix incorrect PHY settings for 100 GB/s - tls: Fix tls_sw_sendmsg error handling - Bluetooth: hci_sync: Fix not setting Random Address when required - tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset - netfilter: nf_tables: imbalance in flowtable binding - netfilter: conntrack: clamp maximum hashtable size to INT_MAX - sched: sch_cake: add bounds checks to host bulk flow fairness counts - net/mlx5: Fix variable not being completed when function returns - ksmbd: fix a missing return value check bug - afs: Fix the maximum cell name length - ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked - dm thin: make get_first_thin use rcu-safe list first function - dm-ebs: don't set the flag DM_TARGET_PASSES_INTEGRITY - sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy - sctp: sysctl: rto_min/max: avoid using current->nsproxy - sctp: sysctl: auth_enable: avoid using current->nsproxy - sctp: sysctl: udp_port: avoid using current->nsproxy - sctp: sysctl: plpmtud_probe_interval: avoid using current->nsproxy - drm/amd/display: Add check for granularity in dml ceil/floor helpers - thermal: of: fix OF node leak in of_thermal_zone_find() - ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] - ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] - drm/amd/display: increase MAX_SURFACES to the value supported by hw - dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) - bpf: Add MEM_WRITE attribute - bpf: Fix overloading of MEM_UNINIT's meaning (CVE-2024-50164) - USB: serial: option: add MeiG Smart SRM815 - USB: serial: option: add Neoway N723-EA support - usb-storage: Add max sectors quirk for Nokia 208 - USB: serial: cp210x: add Phoenix Contact UPS Device - usb: dwc3: gadget: fix writing NYET threshold - topology: Keep the cpumask unchanged when printing cpumap - usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null - usb: dwc3-am62: Disable autosuspend during remove - USB: usblp: return error when setting unsupported protocol - USB: core: Disable LPM only for non-suspended ports - usb: fix reference leak in usb_new_device() - usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints - usb: gadget: f_fs: Remove WARN_ON in functionfs_bind - iio: light: vcnl4035: fix information leak in triggered buffer - iio: imu: kmx61: fix information leak in triggered buffer - iio: gyro: fxas21002c: Fix missing data update in trigger handler - iio: inkern: call iio_device_put() only on mapped devices - io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period - block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() - of/address: Add support for 3 address cell bus - of: address: Fix address translation when address-size is greater than 2 - of: address: Remove duplicated functions - of: address: Store number of bus flag cells rather than bool - of: address: Preserve the flags portion on 1:1 dma-ranges mapping - ocfs2: correct return value of ocfs2_local_free_info() - ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv (CVE-2024-57892) - drm: bridge: adv7511: use dev_err_probe in probe function - drm: adv7511: Fix use-after-free in adv7533_attach_dsi() (CVE-2024-57887) - xhci: use pm_ptr() instead of #ifdef for CONFIG_PM conditionals https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.126 - Partial revert of xhci: use pm_ptr() instead #ifdef for CONFIG_PM conditionals https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.127 - [arm64,armhf] net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field() - bpf: Fix bpf_sk_select_reuseport() memory leak - openvswitch: fix lockup on tx to unregistering netdev with carrier - pktgen: Avoid out-of-bounds access in get_imix_entries - net: add exit_batch_rtnl() method - gtp: use exit_batch_rtnl() method - gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp(). - gtp: Destroy device along with udp socket's netns dismantle. - nfp: bpf: prevent integer overflow in nfp_bpf_event_output() - net/mlx5: Fix RDMA TX steering prio - net/mlx5: Clear port select structure when fail to create - [arm64] drm/v3d: Ensure job pointer is set to NULL after job completion - hwmon: (tmp513) Fix division of negative numbers - Revert "mtd: spi-nor: core: replace dummy buswidth from addr to data" - i2c: mux: demux-pinctrl: check initial mux selection, too - i2c: rcar: fix NACK handling when being a target - nvmet: propagate npwg topology - mac802154: check local interfaces before deleting sdata list - hfs: Sanity check the root record - fs: fix missing declaration of init_files - kheaders: Ignore silly-rename files - cachefiles: Parse the "secctx" immediately - scsi: ufs: core: Honor runtime/system PM levels if set by host controller drivers - ACPI: resource: acpi_dev_irq_override(): Check DMI match last - iomap: avoid avoid truncating 64-bit offset to 32 bits - poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() - [x86] asm: Make serialize() always_inline - ALSA: hda/realtek: Add support for Ayaneo System using CS35L41 HDA - zram: fix potential UAF of zram table - mptcp: be sure to send ack when mptcp-level window re-opens - net: ethernet: xgbe: re-add aneg to supported features in PHY quirks - vsock/virtio: discard packets if the transport changes - vsock/virtio: cancel close work in the destructor - vsock: reset socket state when de-assigning the transport - vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] - filemap: avoid truncating 64-bit offset to 32 bits - fs/proc: fix softlockup in __read_vmcore (part 2) - gpiolib: cdev: Fix use after free in lineinfo_changed_notify (CVE-2024-36899) - [arm64] pmdomain: imx8mp-blk-ctrl: add missing loop break condition - irqchip: Plug a OF node reference leak in platform_irqchip_probe() - irqchip/gic-v3: Handle CPU_PM_ENTER_FAILED correctly - irqchip/gic-v3-its: Don't enable interrupts in its_irq_set_vcpu_affinity() - hrtimers: Handle CPU state correctly on hotplug - [x86] drm/i915/fb: Relax clear color alignment to 64 bytes - Revert "PCI: Use preserve_config in place of pci_flags" - iio: imu: inv_icm42600: fix spi burst write not supported - iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on - [arm64,armhf] iio: adc: rockchip_saradc: fix information leak in triggered buffer (CVE-2024-57907) - drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' (CVE-2024-56608) - drm/amdgpu: fix usage slab after free (CVE-2024-56551) - block: fix uaf for flush rq while iterating tags (CVE-2024-53170) - Revert "drm/amdgpu: rework resume handling for display (v2)" (Closes: #1094766) - RDMA/rxe: Fix the qp flush warnings in req (CVE-2024-53229) - scsi: sg: Fix slab-use-after-free read in sg_release() (CVE-2024-56631) - Revert "regmap: detach regmap from dev on regmap_exit" - wifi: ath10k: avoid NULL pointer error during sdio remove (CVE-2024-56599) - erofs: tidy up EROFS on-disk naming - erofs: handle NONHEAD !delta[1] lclusters gracefully - nfsd: add list_head nf_gc to struct nfsd_file - [x86] xen: fix SLS mitigation in xen_hypercall_iret() - net: fix data-races around sk->sk_forward_alloc (CVE-2024-53124) https://www.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.128 - scsi: iscsi: Fix redundant response for ISCSI_UEVENT_GET_HOST_STATS request - drm/amd/display: Use HW lock mgr for PSR1 - [arm64,armhf] irqchip/sunxi-nmi: Add missing SKIP_WAKE flag - regmap: detach regmap from dev on regmap_exit - ipv6: Fix soft lockups in fib6_select_path under high next hop churn (CVE-2024-56703) - softirq: Allow raising SCHED_SOFTIRQ from SMP-call-function on RT kernel - xfs: bump max fsgeom struct version - xfs: hoist freeing of rt data fork extent mappings - xfs: prevent rt growfs when quota is enabled - xfs: rt stubs should return negative errnos when rt disabled - xfs: fix units conversion error in xfs_bmap_del_extent_delay - xfs: make sure maxlen is still congruent with prod when rounding down - xfs: introduce protection for drop nlink - xfs: handle nimaps=0 from xfs_bmapi_write in xfs_alloc_file_space - xfs: allow read IO and FICLONE to run concurrently - xfs: factor out xfs_defer_pending_abort - xfs: abort intent items when recovery intents fail - xfs: only remap the written blocks in xfs_reflink_end_cow_extent - xfs: up(ic_sema) if flushing data device fails - xfs: fix internal error from AGFL exhaustion - xfs: inode recovery does not validate the recovered inode - xfs: clean up dqblk extraction - xfs: dquot recovery does not validate the recovered dquot - xfs: clean up FS_XFLAG_REALTIME handling in xfs_ioctl_setattr_xflags - xfs: respect the stable writes flag on the RT device - gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag - io_uring: fix waiters missing wake ups (Closes: #1093243) - net: sched: fix ets qdisc OOB Indexing - block: fix integer overflow in BLKSECDISCARD (CVE-2024-49994) - Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad" - vfio/platform: check the bounds of read/write syscalls - ext4: fix access to uninitialised lock in fc replay path (CVE-2024-50014) - ipv4: ip_tunnel: Fix suspicious RCU usage warning in ip_tunnel_find() (CVE-2024-50304) - scsi: storvsc: Ratelimit warning logs to prevent VM denial of service - wifi: iwlwifi: add a few rate index validity checks - smb: client: fix UAF in async decryption (CVE-2024-50047) - USB: serial: quatech2: fix null-ptr-deref in qt2_process_read_urb() - Revert "usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null" - ALSA: usb-audio: Add delay quirk for USB Audio Device - Input: atkbd - map F23 key to support default copilot shortcut - Input: xpad - add unofficial Xbox 360 wireless receiver clone - Input: xpad - add support for wooting two he (arm) - smb: client: fix NULL ptr deref in crypto_aead_setkey() - [arm64] drm/v3d: Assign job pointer to NULL before signaling the fence . [ Salvatore Bonaccorso ] * Bump ABI to 31 * [rt] Update to 6.1.127-rt48 Checksums-Sha1: e5025e8631c636a277dba8e55320a99b9ea9079b 290931 linux_6.1.128-1.dsc e97e590b7d74a7a9e84dedd5249768e0ece882f4 137734772 linux_6.1.128.orig.tar.xz 5fdc669e7b970343f87d4388c0dd1e8c593c31c2 1719136 linux_6.1.128-1.debian.tar.xz 44c6b5f6aaaf4993260a1d4cd1676309c79697f9 7316 linux_6.1.128-1_source.buildinfo Checksums-Sha256: 25cff6a2009656b08a8b2b194ce67a7796d517f969c5488674e02000966e5ca5 290931 linux_6.1.128-1.dsc effdc7e295e24730faff768c85e3eeb4a4550e412980fb25b2470f41c4e8942c 137734772 linux_6.1.128.orig.tar.xz a978deb685e2566962043f2bf17f5fc0b7a333e1d5b65df59476f5987a3c61b7 1719136 linux_6.1.128-1.debian.tar.xz f547c6efa61925d00386bff0b7f2ee89ceb56cb5852ab2d5cdec747bb4ff8cbd 7316 linux_6.1.128-1_source.buildinfo Files: 0e0a3c0208e3397a82a1159ad175911d 290931 kernel optional linux_6.1.128-1.dsc 31d4aebe75ed57764db51cc84c636a13 137734772 kernel optional linux_6.1.128.orig.tar.xz 91ff3d1f67fab8eb29cdf9e399266318 1719136 kernel optional linux_6.1.128-1.debian.tar.xz 5ef8ac28d36e90c293737797ae8cc78d 7316 kernel optional linux_6.1.128-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmel1rFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E36QP/3G9E8IDdGIRBSRdDfXFea8ZTlWWTfiC atdJozuCt++Qsd9lYNsnbz+HKDGnKdXVu57kcL+J3W37mweHbRRg2dFX3f1jSkn1 1e1s2DADecFgv4DMPvwYb5MJj3zhB5qNoHE3AxZPRottt9MHytfNmL6/KbBnk0V2 l1YiAW/+AgCxxNj9njJIhO0mI16K8oKdNqBmUftZ5zbpV35LbuXzvpYgeG0ae4oc aQm7wjA5u5r9RvjziURNOCX8XgnNvv9jq6/sKYefAatlEXyJGRSlB7OL/jhgkm1K JM0H2tqrrEvICBWISnaKbVvmECIZQxSHRjBBMAJ0WUXcVri49vbGT5gO+NLMOK0Q tB6BE+j/wseA4EdWvupQYPIvAAYWLxck7Jh39bHw5vj3T17T+JguqUVLR9DGnHZE 4wEG77wG4MY41YJLDLJ1u9kCqTFSCVhHrIpYhMQYX/kUt8xjmh8tOWBFnyTrgncK XBVSdmf/+xVVEHi8O9O+iKkEopj8YjYoQN5wJTmzPP5xfIV6yJ4RACqJ+WAEY8Uk E2Ung3kyv6WYvePflREEhAZN50kP0JceOmUsB+vb/NUNcpRwsilM+deH2/ke628u iwcu4VClwh2nPMf8dm8wu+wO+s04MDwQq58WC8Tkvt7dEgix3wJak1xAQ1H0X1uo 3TGJz0bMrWxh =/h2v -----END PGP SIGNATURE-----