~ubuntu-kernel/ubuntu/+source/linux/+git/jammy:master-next--s2024.02.05-1

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

14a55c5... by Tuo Li <email address hidden> on 2024-02-22

scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan()

The variable phba->fcf.fcf_flag is often protected by the lock
phba->hbalock() when is accessed. Here is an example in
lpfc_unregister_fcf_rescan():

  spin_lock_irq(&phba->hbalock);
  phba->fcf.fcf_flag |= FCF_INIT_DISC;
  spin_unlock_irq(&phba->hbalock);

However, in the same function, phba->fcf.fcf_flag is assigned with 0
without holding the lock, and thus can cause a data race:

  phba->fcf.fcf_flag = 0;

To fix this possible data race, a lock and unlock pair is added when
accessing the variable phba->fcf.fcf_flag.

Reported-by: BassCheck <email address hidden>
Signed-off-by: Tuo Li <email address hidden>
Link: https://<email address hidden>
Reviewed-by: Justin Tee <email address hidden>
Reviewed-by: Laurence Oberman <email address hidden>
Signed-off-by: Martin K. Petersen <email address hidden>

CVE-2024-24855
(cherry picked from commit 0e881c0a4b6146b7e856735226208f48251facd8)
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

c3de251... by Florian Westphal <email address hidden> on 2024-02-09

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

This reverts commit e0abdadcc6e1.

core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP
verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar,
or 0.

Due to the reverted commit, its possible to provide a positive
value, e.g. NF_ACCEPT (1), which results in use-after-free.

Its not clear to me why this commit was made.

NF_QUEUE is not used by nftables; "queue" rules in nftables
will result in use of "nft_queue" expression.

If we later need to allow specifiying errno values from userspace
(do not know why), this has to call NF_DROP_GETERR and check that
"err <= 0" holds true.

Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters")
Cc: <email address hidden>
Reported-by: Notselwyn <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>

CVE-2024-1086
(cherry picked from commit f342de4e2f33e0e39165d8639387aa6c19dff660)
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

675400a... by Pablo Neira Ayuso <email address hidden> on 2024-02-21

netfilter: nf_tables: check if catch-all set element is active in next generation

When deactivating the catch-all set element, check the state in the next
generation that represents this transaction.

This bug uncovered after the recent removal of the element busy mark
a2dd0233cbc4 ("netfilter: nf_tables: remove busy mark and gc batch API").

Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support")
Cc: <email address hidden>
Reported-by: lonial con <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
(cherry picked from commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7)
CVE-2024-1085
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Jose Ogando <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>

53e2e51... by Namjae Jeon <email address hidden> on 2024-02-06

ksmbd: destroy expired sessions

client can indefinitely send smb2 session setup requests with
the SessionId set to 0, thus indefinitely spawning new sessions,
and causing indefinite memory usage. This patch limit to the number
of sessions using expired timeout and session state.

Cc: <email address hidden>
Reported-by: <email address hidden> # ZDI-CAN-20478
Signed-off-by: Namjae Jeon <email address hidden>
Signed-off-by: Steve French <email address hidden>
(backported from commit ea174a91893956450510945a0c5d1a10b5323656)
[bjamison: Jammy code structure was different in smb2pdu.h than
upstream - found relevant code chunk and implemented fix commit's
intended change]
CVE-2023-32247
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Cengiz Can <email address hidden>
Acked-by: Jacob Martin <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>

fba3bf8... by Miaoqian Lin <email address hidden> on 2024-02-20

phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function

callers of tegra_xusb_find_port_node() function only do NULL checking for
the return value. return NULL instead of ERR_PTR(-ENOMEM) to keep
consistent.

Signed-off-by: Miaoqian Lin <email address hidden>
Acked-by: Thierry Reding <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Vinod Koul <email address hidden>
(cherry picked from commit 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f)
CVE-2023-23000
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Acked-by: Jacob Martin <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>

7110f18... by Stefan Bader on 2024-02-07

UBUNTU: Ubuntu-5.15.0-100.110

No-change re-spin to bump version number.

Signed-off-by: Stefan Bader <email address hidden>

308dd8e... by Stefan Bader on 2024-02-02

UBUNTU: Ubuntu-5.15.0-96.106

Signed-off-by: Stefan Bader <email address hidden>

cac4934... by Stefan Bader on 2024-02-02

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/2052089
Properties: no-test-build
Signed-off-by: Stefan Bader <email address hidden>

0115e60... by =?utf-8?b?VmlsbGUgU3lyasOkbMOk?= <email address hidden> on 2024-01-31

drm/i915: Skip some timing checks on BXT/GLK DSI transcoders

BugLink: https://bugs.launchpad.net/bugs/2044131

Apparently some BXT/GLK systems have DSI panels whose timings
don't agree with the normal cpu transcoder hblank>=32 limitation.
This is perhaps fine as there are no specific hblank/etc. limits
listed for the BXT/GLK DSI transcoders.

Move those checks out from the global intel_mode_valid() into
into connector specific .mode_valid() hooks, skipping BXT/GLK
DSI connectors. We'll leave the basic [hv]display/[hv]total
checks in intel_mode_valid() as those seem like sensible upper
limits regardless of the transcoder used.

Cc: <email address hidden>
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9720
Fixes: 8f4b1068e7fc ("drm/i915: Check some transcoder timing minimum limits")
Signed-off-by: Ville Syrjälä <email address hidden>
Link: https://patchwork<email address hidden>
Reviewed-by: Jani Nikula <email address hidden>
(cherry picked from commit e0ef2daa8ca8ce4dbc2fd0959e383b753a87fd7d)
Signed-off-by: Jani Nikula <email address hidden>
(backported from commit 20c2dbff342aec13bf93c2f6c951da198916a455)
Signed-off-by: Dariusz Gadomski <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>

6522efb... by Vitaly Rodionov <email address hidden> on 2024-01-24

ALSA: hda/cs8409: Suppress vmaster control for Dolphin models

BugLink: https://bugs.launchpad.net/bugs/2051050

Customer has reported an issue with specific desktop platform
where two CS42L42 codecs are connected to CS8409 HDA bridge.
If "Master Volume Control" is created then on Ubuntu OS UCM
left/right balance slider in UI audio settings has no effect.
This patch will fix this issue for a target paltform.

Fixes: 20e507724113 ("ALSA: hda/cs8409: Add support for dolphin")
Signed-off-by: Vitaly Rodionov <email address hidden>
Cc: <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Takashi Iwai <email address hidden>
(cherry picked from commit a2ed0a44d637ef9deca595054c206da7d6cbdcbc linux-next)
Signed-off-by: Hui Wang <email address hidden>
Acked-by: AceLan Kao <email address hidden>
Acked-by: Jose Ogando <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>