Thank you for your contribution to Debian.


Hash: SHA512

Format: 1.8
Date: Sat, 30 Dec 2023 10:31:20 +0100
Source: linux-signed-arm64
Architecture: source
Version: 6.1.69+1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Kernel Team <>
Changed-By: Salvatore Bonaccorso <>
 linux-signed-arm64 (6.1.69+1) bookworm-security; urgency=high
   * Sign kernel from linux 6.1.69-1
   * New upstream stable update:
     - hrtimers: Push pending hrtimers away from outgoing CPU earlier
     - i2c: designware: Fix corrupted memory seen in the ISR
     - netfilter: ipset: fix race condition between swap/destroy and kernel side
     - tg3: Move the [rt]x_dropped counters to tg3_napi
     - tg3: Increment tx_dropped in tg3_tso_bug()
     - kconfig: fix memory leak from range properties
     - drm/amdgpu: correct chunk_ptr to a pointer to chunk.
     - [x86] Introduce ia32_enabled()
     - [amd64] x86/coco: Disable 32-bit emulation by default on TDX and SEV
     - [x86] entry: Convert INT 0x80 emulation to IDTENTRY
     - [x86] entry: Do not allow external 0x80 interrupts
     - [x86] tdx: Allow 32-bit emulation by default
     - [x86] platform/x86: asus-wmi: Move i8042 filter install to shared 
     - [powerpc*] of: dynamic: Fix of_reconfig_get_state_change() return value
     - [x86] platform/x86: wmi: Skip blocks with zero instances
     - ipv6: fix potential NULL deref in fib6_add()
     - hv_netvsc: rndis_filter needs to select NLS
     - r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE
     - r8152: Add RTL8152_INACCESSIBLE checks to more loops
     - r8152: Add RTL8152_INACCESSIBLE to r8156b_wait_loading_flash()
     - r8152: Add RTL8152_INACCESSIBLE to r8153_pre_firmware_1()
     - r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en()
     - arcnet: restoring support for multiple Sohard Arcnet cards
     - net: stmmac: fix FPE events losing
     - xsk: Skip polling event check for unbound socket
     - i40e: Fix unexpected MFS warning message
     - iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero
     - net: bnxt: fix a potential use-after-free in bnxt_init_tc
     - tcp: fix mid stream window clamp.
     - ionic: fix snprintf format length warning
     - ionic: Fix dim work handling in split interrupt mode
     - ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
     - net: atlantic: Fix NULL dereference of skb pointer in
     - [arm64] net: hns: fix wrong head when modify the tx feature when sending
     - [arm64] net: hns: fix fake link up on xge port
     - netfilter: nft_exthdr: add boolean DCCP option matching
     - netfilter: nf_tables: fix 'exist' matching on bigendian arches
     - netfilter: nf_tables: bail out on mismatching dynset and set expressions
     - netfilter: nf_tables: validate family when identifying table via handle
     - netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
     - tcp: do not accept ACK of bytes we never sent
     - bpf: sockmap, updating the sg structure should also update curr
     - psample: Require 'CAP_NET_ADMIN' when joining "packets" group
     - drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
     - [arm64] tee: optee: Fix supplicant based device enumeration
     - [arm64] RDMA/hns: Fix unnecessary err return when using invalid congest
       control algorithm
     - RDMA/irdma: Do not modify to SQD on error
     - RDMA/irdma: Add wait for suspend on SQD
     - [arm64] ASoC: fsl_sai: Fix no frame sync clock issue on i.MX8MP
     - RDMA/irdma: Refactor error handling in create CQP
     - RDMA/irdma: Fix UAF in irdma_sc_ccq_get_cqe_info()
     - [x86] hwmon: (acpi_power_meter) Fix 4.29 MW bug
     - [x86] ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate
     - RDMA/core: Fix umem iterator when PAGE_SIZE is greater then HCA pgsz
     - RDMA/irdma: Avoid free the non-cqp_request scratch
     - [arm64] dts: imx8mq: drop usb3-resume-missing-cas from usb
     - [arm64] dts: imx8mp: imx8mq: Add parkmode-disable-ss-quirk on DWC3
     - tracing: Fix a warning when allocating buffered events fails
     - scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
     - [armhf] imx: Check return value of devm_kasprintf in imx_mmdc_perf_init
     - md: introduce md_ro_state
     - md: don't leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly()
     - iommu: Avoid more races around device probe
     - [x86] rethook: Use __rcu pointer for rethook::handler
     - kprobes: consistent rcu api usage for kretprobe holder
     - [x86] ASoC: amd: yc: Fix non-functional mic on ASUS E1504FA
     - io_uring/af_unix: disable sending io_uring over sockets (CVE-2023-6531)
     - nvme-pci: Add sleep quirk for Kingston drives
     - io_uring: fix mutex_unlock with unreferenced ctx
     - ALSA: usb-audio: Add Pioneer DJM-450 mixer controls
     - ALSA: pcm: fix out-of-bounds in snd_pcm_state_names
     - ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
     - ALSA: hda/realtek: add new Framework laptop to quirks
     - ALSA: hda/realtek: Add Framework laptop 16 to quirks
     - ring-buffer: Test last update in 32bit version of __rb_time_read()
     - nilfs2: fix missing error check for sb_set_blocksize call
     - nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage()
     - cgroup_freezer: cgroup_freezing: Check if not frozen
     - checkstack: fix printed address
     - tracing: Always update snapshot buffer size
     - tracing: Disable snapshot buffer when stopping instance tracers
     - tracing: Fix incomplete locking when disabling buffered events
     - tracing: Fix a possible race when disabling buffered events
     - packet: Move reference count in packet_sock to atomic_long_t
     - r8169: fix rtl8125b PAUSE frames blasting when suspended
     - regmap: fix bogus error on regcache_sync success
     - [x86] platform/surface: aggregator: fix recv_buf() return value
     - hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
     - mm: fix oops when filemap_map_pmd() without prealloc_pte
     - md/raid6: use valid sector values to determine if an I/O should wait on
       the reshape
     - [arm*] binder: fix memory leaks of spam and pending work
     - [arm64] coresight: etm4x: Make etm4_remove_dev() return void
     - [arm64] coresight: etm4x: Remove bogous __exit annotation for some
     - hwtracing: hisi_ptt: Add dummy callback pmu::read()
     - [x86] misc: mei: client.c: return negative error code in mei_cl_write
     - [x86] misc: mei: client.c: fix problem of return '-EOVERFLOW' in
     - ring-buffer: Force absolute timestamp on discard of event
     - tracing: Set actual size after ring buffer resize
     - tracing: Stop current tracer when resizing buffer
     - perf: Fix perf_event_validate_size() (CVE-2023-6931)
     - [x86] sev: Fix kernel crash due to late update to read-only ghcb_version
     - gpiolib: sysfs: Fix error handling on failed export
     - drm/amdgpu: fix memory overflow in the IB test
     - drm/amd/amdgpu: Fix warnings in amdgpu/amdgpu_display.c
     - drm/amdgpu: correct the amdgpu runtime dereference usage count
     - drm/amdgpu: Update ras eeprom support for smu v13_0_0 and v13_0_10
     - drm/amdgpu: Add EEPROM I2C address support for ip discovery
     - drm/amdgpu: Remove redundant I2C EEPROM address
     - drm/amdgpu: Decouple RAS EEPROM addresses from chips
     - drm/amdgpu: Add support for RAS table at 0x40000
     - drm/amdgpu: Remove second moot switch to set EEPROM I2C address
     - drm/amdgpu: Return from switch early for EEPROM I2C address
     - drm/amdgpu: simplify amdgpu_ras_eeprom.c
     - drm/amdgpu: Add I2C EEPROM support on smu v13_0_6
     - drm/amdgpu: Update EEPROM I2C address for smu v13_0_0
     - usb: gadget: f_hid: fix report descriptor allocation
     - serial: 8250_dw: Add ACPI ID for Granite Rapids-D UART
     - parport: Add support for Brainboxes IX/UC/PX parallel cards
     - cifs: Fix non-availability of dedup breaking generic/304
     - Revert "xhci: Loosen RPM as default policy to cover for AMD xHC 1.1"
     - smb: client: fix potential NULL deref in parse_dfs_referrals()
     - usb: typec: class: fix typec_altmode_put_partner to put plugs
     - [arm64,armhf] PL011: Fix DMA support
     - [arm64] serial: 8250: 8250_omap: Clear UART_HAS_RHR_IT_DIS bit
     - [arm64] serial: 8250: 8250_omap: Do not start RX DMA on THRI interrupt
     - [arm64] serial: 8250_omap: Add earlycon support for the AM654 UART
     - devcoredump: Send uevent once devcd is ready
     - [x86] CPU/AMD: Check vendor in the AMD microcode callback
     - USB: gadget: core: adjust uevent timing on gadget unbind
     - cifs: Fix flushing, invalidation and file size with copy_file_range()
     - cifs: Fix flushing, invalidation and file size with FICLONE
     - [mips*] kernel: Clear FPU states when setting up kernel threads
       (Closes: #1055021)
     - [s390x] KVM: s390/mm: Properly reset no-dat
     - [x86] KVM: SVM: Update EFER software model on CR0 trap for SEV-ES
     - netfilter: nft_set_pipapo: skip inactive elements during set walk
     - [x86] drm/i915/display: Drop check for doublescan mode in modevalid
     - [x86] drm/i915/lvds: Use REG_BIT() & co.
     - [x86] drm/i915/sdvo: stop caching has_hdmi_monitor in struct intel_sdvo
     - [x86] drm/i915: Skip some timing checks on BXT/GLK DSI transcoders
     - [x86] perf/x86/uncore: Don't WARN_ON_ONCE() for a broken discovery table
     - r8152: add USB device driver for config selection
     - r8152: add vendor/device ID pair for D-Link DUB-E250
     - r8152: add vendor/device ID pair for ASUS USB-C2500
     - [powerpc*] ftrace: Fix stack teardown in ftrace_no_trace
     - ext4: fix warning in ext4_dio_write_end_io()
     - ksmbd: fix memory leak in smb2_lock()
     - afs: Fix refcount underflow from error handling race (Closes: #1052304)
     - HID: lenovo: Restrict detection of patched firmware only to USB cptkbd
       (Closes: #1058758)
     - net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work
     - net: ipv6: support reporting otherwise unknown prefix flags in
     - bnxt_en: Clear resource reservation during resume
     - bnxt_en: Save ring error counters across reset
     - bnxt_en: Fix wrong return value check in bnxt_close_nic()
     - bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic
     - atm: solos-pci: Fix potential deadlock on &cli_queue_lock
     - atm: solos-pci: Fix potential deadlock on &tx_queue_lock
     - net: vlan: introduce skb_vlan_eth_hdr()
     - net: fec: correct queue selection
     - atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780)
     - net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782)
     - iavf: Introduce new state machines for flow director
     - iavf: Handle ntuple on/off based on new state machines for flow director
     - qed: Fix a potential use-after-free in qed_cxt_tables_alloc
     - net: Remove acked SYN flag from packet in the transmit queue correctly
     - net: ena: Destroy correct number of xdp queues upon failure
     - net: ena: Fix xdp drops handling due to multibuf packets
     - net: ena: Fix XDP redirection error
     - sign-file: Fix incorrect return values check
     - vsock/virtio: Fix unsigned integer wrap around in
     - net: stmmac: Handle disabled MDIO busses from devicetree
     - appletalk: Fix Use-After-Free in atalk_ioctl (CVE-2023-51781)
     - net: atlantic: fix double free in ring reinit logic
     - cred: switch to using atomic_long_t
     - fuse: dax: set fc->dax to NULL in fuse_dax_conn_free()
     - ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB
     - ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants
     - ALSA: hda/realtek: Apply mute LED quirk for HP15-db
     - Revert "PCI: acpiphp: Reassign resources on bridge if necessary"
     - [mips*] PCI: loongson: Limit MRRS to 256 (Closes: #1035587)
     - ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE
     - [x86] hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM
     - usb: aqc111: check packet for fixup for true limit
     - blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock
     - blk-cgroup: bypass blkcg_deactivate_policy after destroying
     - bcache: avoid oversize memory allocation by small stripe_size
     - bcache: remove redundant assignment to variable cur_idx
     - bcache: add code comments for bch_btree_node_get() and
     - bcache: avoid NULL checking to c->root in run_cache_set()
     - nbd: fold nbd config initialization into nbd_alloc_config()
     - nvme-auth: set explanation code for failure2 msgs
     - nvme: catch errors from nvme_configure_metadata()
     - [x86] platform/x86: intel_telemetry: Fix kernel doc descriptions
     - HID: glorious: fix Glorious Model I HID report
     - HID: add ALWAYS_POLL quirk for Apple kb
     - nbd: pass nbd_sock to nbd_read_reply() instead of index
     - HID: hid-asus: reset the backlight brightness level on resume
     - HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
     - asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation
     - net: usb: qmi_wwan: claim interface 4 for ZTE MF290
     - [arm64] add dependency between vmlinuz.efi and Image
     - HID: hid-asus: add const to read-only outgoing usb buffer
     - perf: Fix perf_event_validate_size() lockdep splat
     - btrfs: do not allow non subvolume root targets for snapshot
     - soundwire: stream: fix NULL pointer dereference for multi_link
     - ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
     - [arm64] mm: Always make sw-dirty PTEs hw-dirty in pte_modify
     - team: Fix use-after-free when an option instance allocation fails
     - drm/amdgpu/sdma5.2: add begin/end_use ring callbacks
     - dmaengine: stm32-dma: avoid bitfield overflow assertion
     - mm/mglru: fix underprotected page cache
     - mm/shmem: fix race in shmem_undo_range w/THP
     - btrfs: free qgroup reserve when ORDERED_IOERR is set
     - btrfs: don't clear qgroup reserved bit in release_folio
     - drm/amdgpu: fix tear down order in amdgpu_vm_pt_free
     - drm/amd/display: Disable PSR-SU on Parade 0803 TCON again
     - [x86] drm/i915: Fix remapped stride with CCS on ADL+
     - smb: client: fix OOB in receive_encrypted_standard()
     - smb: client: fix NULL deref in asn1_ber_decoder()
     - smb: client: fix OOB in smb2_query_reparse_point()
     - ring-buffer: Fix memory leak of free page
     - tracing: Update snapshot buffer on resize if it is allocated
     - ring-buffer: Do not update before stamp when switching sub-buffers
     - ring-buffer: Have saved event hold the entire event
     - ring-buffer: Fix writing to the buffer with max_data_size
     - ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs
     - ring-buffer: Do not try to put back write_stamp
     - ring-buffer: Have rb_time_cmpxchg() set the msb counter too
     - net: tls, update curr on splice as well
     - r8152: avoid to change cfg for all devices
     - r8152: remove rtl_vendor_mode function
     - r8152: fix the autosuspend doesn't work
   [ Salvatore Bonaccorso ]
   * Bump ABI to 17
   * [rt] Update to 6.1.69-rt21
   * [arm64] drivers/vfio: Don't enable VFIO_NOIOMMU.
     This is a breach of the integrity lockdown requirement of secure boot
     and thus cannot be enabled.
     Thanks to Bastian Blank and Ben Hutchings
   * Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
   * netfilter: nf_tables: skip set commit for deleted/destroyed sets
   * Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity"
     (Closes: #1059624)
 853b2e26c5c7f9abc1f63a313ff6e022c20c2531 7455 linux-signed-arm64_6.1.69+1.dsc
 33caafb1142f22f41a129bc9556316aa2dd423bb 2879220 
 7d51697a52023f5acf8aaa47b57004fd07d68041b0bb031cdfa53592482c9acc 7455 
 01e8b467301ec5be59f4943cbbc91d07e29f0efe12285dae2f104a2263f3ecc5 2879220 
 57d2954404d143d6fe5b8fa7c5c0e5c6 7455 kernel optional 
 2a278d9cebe74826cc7cbe10cafe69d8 2879220 kernel optional 



Reply via email to