This bug was fixed in the package linux - 6.5.0-27.28

---------------
linux (6.5.0-27.28) mantic; urgency=medium

  * mantic/linux: 6.5.0-27.28 -proposed tracker (LP: #2055584)

  * Packaging resync (LP: #1786013)
    - [Packaging] drop ABI data
    - [Packaging] update annotations scripts
    - debian.master/dkms-versions -- update from kernel-versions 
(main/2024.03.04)

  * CVE-2024-26597
    - net: qualcomm: rmnet: fix global oob in rmnet_policy

  * CVE-2024-26599
    - pwm: Fix out-of-bounds access in of_pwm_single_xlate()

  * Drop ABI checks from kernel build (LP: #2055686)
    - [Packaging] Remove in-tree abi checks

  * Cranky update-dkms-versions rollout (LP: #2055685)
    - [Packaging] remove update-dkms-versions
    - Move debian/dkms-versions to debian.master/dkms-versions
    - [Packaging] Replace debian/dkms-versions with $(DEBIAN)/dkms-versions

  * linux: please move erofs.ko (CONFIG_EROFS for EROFS support) from linux-
    modules-extra to linux-modules (LP: #2054809)
    - UBUNTU [Packaging]: Include erofs in linux-modules instead of 
linux-modules-
      extra

  * performance: Scheduler: ratelimit updating of load_avg (LP: #2053251)
    - sched/fair: Ratelimit update to tg->load_avg

  * IB peer memory feature regressed in 6.5 (LP: #2055082)
    - SAUCE: RDMA/core: Introduce peer memory interface

  * linux-tools-common: man page of usbip[d] is misplaced (LP: #2054094)
    - [Packaging] rules: Put usbip manpages in the correct directory

  * CVE-2024-23851
    - dm: limit the number of targets and parameter size area

  * CVE-2024-23850
    - btrfs: do not ASSERT() if the newly created subvolume already got read

  * x86: performance: tsc: Extend watchdog check exemption to 4-Sockets platform
    (LP: #2054699)
    - x86/tsc: Extend watchdog check exemption to 4-Sockets platform

  * linux: please move dmi-sysfs.ko (CONFIG_DMI_SYSFS for SMBIOS support) from
    linux-modules-extra to linux-modules (LP: #2045561)
    - [Packaging] Move dmi-sysfs.ko into linux-modules

  * Fix AMD brightness issue on AUO panel (LP: #2054773)
    - drm/amdgpu: make damage clips support configurable

  * Mantic update: upstream stable patchset 2024-02-28 (LP: #2055199)
    - f2fs: explicitly null-terminate the xattr list
    - pinctrl: lochnagar: Don't build on MIPS
    - ALSA: hda - Fix speaker and headset mic pin config for CHUWI CoreBook XPro
    - mptcp: fix uninit-value in mptcp_incoming_options
    - wifi: cfg80211: lock wiphy mutex for rfkill poll
    - wifi: avoid offset calculation on NULL pointer
    - wifi: mac80211: handle 320 MHz in ieee80211_ht_cap_ie_to_sta_ht_cap
    - debugfs: fix automount d_fsdata usage
    - nvme-core: fix a memory leak in nvme_ns_info_from_identify()
    - drm/amd/display: update dcn315 lpddr pstate latency
    - drm/amdgpu: Fix cat debugfs amdgpu_regs_didt causes kernel null pointer
    - smb: client, common: fix fortify warnings
    - blk-mq: don't count completed flush data request as inflight in case of
      quiesce
    - nvme-core: check for too small lba shift
    - hwtracing: hisi_ptt: Handle the interrupt in hardirq context
    - hwtracing: hisi_ptt: Don't try to attach a task
    - ASoC: wm8974: Correct boost mixer inputs
    - arm64: dts: rockchip: fix rk356x pcie msg interrupt name
    - ASoC: Intel: Skylake: Fix mem leak in few functions
    - ASoC: nau8822: Fix incorrect type in assignment and cast to restricted
      __be16
    - ASoC: Intel: Skylake: mem leak in skl register function
    - ASoC: cs43130: Fix the position of const qualifier
    - ASoC: cs43130: Fix incorrect frame delay configuration
    - ASoC: rt5650: add mutex to avoid the jack detection failure
    - ASoC: Intel: skl_hda_dsp_generic: Drop HDMI routes when HDMI is not
      available
    - nouveau/tu102: flush all pdbs on vmm flush
    - ASoC: amd: yc: Add DMI entry to support System76 Pangolin 13
    - ASoC: hdac_hda: Conditionally register dais for HDMI and Analog
    - net/tg3: fix race condition in tg3_reset_task()
    - ASoC: da7219: Support low DC impedance headset
    - nvme: introduce helper function to get ctrl state
    - nvme: prevent potential spectre v1 gadget
    - arm64: dts: rockchip: Fix PCI node addresses on rk3399-gru
    - drm/amdgpu: Add NULL checks for function pointers
    - drm/exynos: fix a potential error pointer dereference
    - drm/exynos: fix a wrong error checking
    - hwmon: (corsair-psu) Fix probe when built-in
    - LoongArch: Preserve syscall nr across execve()
    - clk: rockchip: rk3568: Add PLL rate for 292.5MHz
    - clk: rockchip: rk3128: Fix HCLK_OTG gate register
    - jbd2: correct the printing of write_flags in jbd2_write_superblock()
    - jbd2: increase the journal IO's priority
    - drm/crtc: Fix uninit-value bug in drm_mode_setcrtc
    - neighbour: Don't let neigh_forced_gc() disable preemption for long
    - platform/x86: intel-vbtn: Fix missing tablet-mode-switch events
    - jbd2: fix soft lockup in journal_finish_inode_data_buffers()
    - tracing: Have large events show up as '[LINE TOO BIG]' instead of nothing
    - tracing: Add size check when printing trace_marker output
    - stmmac: dwmac-loongson: drop useless check for compatible fallback
    - MIPS: dts: loongson: drop incorrect dwmac fallback compatible
    - tracing: Fix uaf issue when open the hist or hist_debug file
    - ring-buffer: Do not record in NMI if the arch does not support cmpxchg in
      NMI
    - Input: psmouse - enable Synaptics InterTouch for ThinkPad L14 G1
    - reset: hisilicon: hi6220: fix Wvoid-pointer-to-enum-cast warning
    - Input: atkbd - skip ATKBD_CMD_GETID in translated mode
    - Input: i8042 - add nomux quirk for Acer P459-G2-M
    - s390/scm: fix virtual vs physical address confusion
    - ARC: fix spare error
    - wifi: iwlwifi: pcie: avoid a NULL pointer dereference
    - Input: xpad - add Razer Wolverine V2 support
    - kselftest: alsa: fixed a print formatting warning
    - HID: nintendo: fix initializer element is not constant error
    - platform/x86: thinkpad_acpi: fix for incorrect fan reporting on some
      ThinkPad systems
    - ASoC: Intel: bytcr_rt5640: Add quirk for the Medion Lifetab S10346
    - ASoC: Intel: bytcr_rt5640: Add new swapped-speakers quirk
    - ALSA: hda/realtek: Add quirks for ASUS Zenbook 2022 Models
    - dm audit: fix Kconfig so DM_AUDIT depends on BLK_DEV_DM
    - HID: nintendo: Prevent divide-by-zero on code
    - smb: client: fix potential OOB in smb2_dump_detail()
    - i2c: rk3x: fix potential spinlock recursion on poll
    - drm/amd/display: get dprefclk ss info from integration info table
    - pinctrl: cy8c95x0: Fix typo
    - pinctrl: cy8c95x0: Fix get_pincfg
    - virtio_blk: fix snprintf truncation compiler warning
    - net: qrtr: ns: Return 0 if server port is not present
    - ARM: sun9i: smp: fix return code check of of_property_match_string
    - drm/crtc: fix uninitialized variable use
    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP Envy X360 13-ay0xxx
    - ACPI: resource: Add another DMI match for the TongFang GMxXGxx
    - ASoC: SOF: Intel: hda-codec: Delay the codec device registration
    - ksmbd: don't allow O_TRUNC open on read-only share
    - ksmbd: free ppace array on error in parse_dacl
    - binder: use EPOLLERR from eventpoll.h
    - binder: fix use-after-free in shinker's callback
    - binder: fix trivial typo of binder_free_buf_locked()
    - binder: fix comment on binder_alloc_new_buf() return value
    - uio: Fix use-after-free in uio_open
    - parport: parport_serial: Add Brainboxes BAR details
    - parport: parport_serial: Add Brainboxes device IDs and geometry
    - leds: ledtrig-tty: Free allocated ttyname buffer on deactivate
    - PCI: Add ACS quirk for more Zhaoxin Root Ports
    - coresight: etm4x: Fix width of CCITMIN field
    - scripts/decode_stacktrace.sh: optionally use LLVM utilities
    - pinctrl: s32cc: Avoid possible string truncation
    - kunit: Warn if tests are slow
    - kunit: Reset suite counter right before running tests
    - io_uring: use fget/fput consistently
    - block: warn once for each partition in bio_check_ro()
    - drm/amdkfd: Use common function for IP version check
    - drm/amdkfd: Free gang_ctx_bo and wptr_bo in pqm_uninit
    - drm/amdgpu: Use another offset for GC 9.4.3 remap
    - ASoC: amd: yc: Add HP 255 G10 into quirk table
    - ASoC: SOF: topology: Fix mem leak in sof_dai_load()
    - ASoC: fsl_xcvr: Enable 2 * TX bit clock for spdif only case
    - ASoC: fsl_xcvr: refine the requested phy clock frequency
    - ASoC: SOF: ipc4-topology: Add core_mask in struct snd_sof_pipeline
    - ASoC: SOF: sof-audio: Modify logic for enabling/disabling topology cores
    - ASoC: SOF: ipc4-topology: Correct data structures for the SRC module
    - ASoC: SOF: ipc4-topology: Correct data structures for the GAIN module
    - pds_vdpa: fix up format-truncation complaint
    - pds_vdpa: clear config callback when status goes to 0
    - pds_vdpa: set features order
    - nvme: ensure reset state check ordering
    - nvme-ioctl: move capable() admin check to the end
    - nvme: fix deadlock between reset and scan
    - LoongArch: Apply dynamic relocations for LLD
    - LoongArch: Set unwind stack type to unknown rather than set error flag
    - soundwire: intel_ace2x: fix AC timing setting for ACE2.x
    - efi/loongarch: Use load address to calculate kernel entry address
    - pinctrl: amd: Mask non-wake source pins with interrupt enabled at suspend
    - ASoC: cs35l45: Use modern pm_ops
    - ASoC: cs35l45: Prevent IRQ handling when suspending/resuming
    - ASoC: cs35l45: Prevents spinning during runtime suspend
    - driver core: Add a guard() definition for the device_lock()
    - platform/x86/amd/pmc: Move platform defines to header
    - platform/x86/amd/pmc: Only run IRQ1 firmware version check on Cezanne
    - platform/x86/amd/pmc: Move keyboard wakeup disablement detection to pmc-
      quirks
    - platform/x86/amd/pmc: Disable keyboard wakeup on AMD Framework 13
    - drm/amdkfd: svm range always mapped flag not working on APU
    - drm/amd/display: Add case for dcn35 to support usb4 dmub hpd event
    - pinctrl: cy8c95x0: Fix regression
    - posix-timers: Get rid of [COMPAT_]SYS_NI() uses
    - nfc: Do not send datagram if socket state isn't LLCP_BOUND
    - x86/csum: Remove unnecessary odd handling
    - x86/csum: clean up `csum_partial' further
    - x86/microcode: do not cache microcode if it will not be used
    - bus: moxtet: Mark the irq as shared
    - bus: moxtet: Add spi device table
    - drm/amd/display: Pass pwrseq inst for backlight and ABM
    - Upstream stable to v6.1.74, v6.6.13

  * Mantic update: upstream stable patchset 2024-02-27 (LP: #2055002)
    - Revert "nfsd: call nfsd_last_thread() before final nfsd_put()"
    - cifs: fix flushing folio regression for 6.1 backport
    - Upstream stable to v6.1.73, v6.6.12

  * Mantic update: upstream stable patchset 2024-02-26 (LP: #2054779)
    - keys, dns: Fix missing size check of V1 server-list header
    - ALSA: hda/realtek: enable SND_PCI_QUIRK for hp pavilion 14-ec1xxx series
    - ALSA: hda/realtek: fix mute/micmute LEDs for a HP ZBook
    - ALSA: hda/realtek: Fix mute and mic-mute LEDs for HP ProBook 440 G6
    - mptcp: prevent tcp diag from closing listener subflows
    - Revert "PCI/ASPM: Remove pcie_aspm_pm_state_change()"
    - drm/mgag200: Fix gamma lut not initialized for G200ER, G200EV, G200SE
    - cifs: cifs_chan_is_iface_active should be called with chan_lock held
    - cifs: do not depend on release_iface for maintaining iface_list
    - wifi: iwlwifi: pcie: don't synchronize IRQs from IRQ
    - drm/bridge: ti-sn65dsi86: Never store more than msg->size bytes in AUX 
xfer
    - netfilter: nf_tables: set transport offset from mac header for 
netdev/egress
    - nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to
      llcp_local
    - octeontx2-af: Fix marking couple of structure as __packed
    - drm/i915/dp: Fix passing the correct DPCD_REV for
      drm_dp_set_phy_test_pattern
    - ice: Fix link_down_on_close message
    - ice: Shut down VSI with "link-down-on-close" enabled
    - i40e: Fix filter input checks to prevent config with invalid values
    - igc: Report VLAN EtherType matching back to user
    - igc: Check VLAN TCI mask
    - igc: Check VLAN EtherType mask
    - ASoC: fsl_rpmsg: Fix error handler with pm_runtime_enable
    - ASoC: mediatek: mt8186: fix AUD_PAD_TOP register and offset
    - mlxbf_gige: fix receive packet race condition
    - net: sched: em_text: fix possible memory leak in em_text_destroy()
    - r8169: Fix PCI error on system resume
    - net: Implement missing getsockopt(SO_TIMESTAMPING_NEW)
    - selftests: bonding: do not set port down when adding to bond
    - ARM: sun9i: smp: Fix array-index-out-of-bounds read in sunxi_mc_smp_init
    - sfc: fix a double-free bug in efx_probe_filters
    - net: bcmgenet: Fix FCS generation for fragmented skbuffs
    - netfilter: nft_immediate: drop chain reference counter on error
    - net: Save and restore msg_namelen in sock_sendmsg
    - i40e: fix use-after-free in i40e_aqc_add_filters()
    - ASoC: meson: g12a-toacodec: Validate written enum values
    - ASoC: meson: g12a-tohdmitx: Validate written enum values
    - ASoC: meson: g12a-toacodec: Fix event generation
    - ASoC: meson: g12a-tohdmitx: Fix event generation for S/PDIF mux
    - i40e: Restore VF MSI-X state during PCI reset
    - igc: Fix hicredit calculation
    - net/qla3xxx: fix potential memleak in ql_alloc_buffer_queues
    - net/smc: fix invalid link access in dumping SMC-R connections
    - octeontx2-af: Always configure NIX TX link credits based on max frame size
    - octeontx2-af: Re-enable MAC TX in otx2_stop processing
    - asix: Add check for usbnet_get_endpoints
    - net: ravb: Wait for operating mode to be applied
    - bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters()
    - net: Implement missing SO_TIMESTAMPING_NEW cmsg support
    - bpf: Support new 32bit offset jmp instruction
    - mm: merge folio_has_private()/filemap_release_folio() call pairs
    - mm, netfs, fscache: stop read optimisation when folio removed from 
pagecache
    - smb: client: fix missing mode bits for SMB symlinks
    - ALSA: hda/realtek: Add quirk for Lenovo Yoga Pro 7
    - firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines 
and
      ASM108x/VT630x PCIe cards
    - x86/kprobes: fix incorrect return address calculation in
      kprobe_emulate_call_indirect
    - i2c: core: Fix atomic xfer check for non-preempt config
    - mm: fix unmap_mapping_range high bits shift bug
    - drm/amdgpu: skip gpu_info fw loading on navi12
    - drm/amd/display: add nv12 bounding box
    - mmc: meson-mx-sdhc: Fix initialization frozen issue
    - mmc: rpmb: fixes pause retune on all RPMB partitions.
    - mmc: core: Cancel delayed work before releasing host
    - mmc: sdhci-sprd: Fix eMMC init failure after hw reset
    - bpf: Fix a verifier bug due to incorrect branch offset comparison with
      cpu=v4
    - media: qcom: camss: Comment CSID dt_id field
    - Revert "interconnect: qcom: sm8250: Enable sync_state"
    - drm/amd/display: pbn_div need be updated for hotplug event
    - accel/qaic: Fix GEM import path code
    - accel/qaic: Implement quirk for SOC_HW_VERSION
    - drm/bridge: parade-ps8640: Never store more than msg->size bytes in AUX 
xfer
    - drm/bridge: ps8640: Fix size mismatch warning w/ len
    - drm/i915/perf: Update handling of MMIO triggered reports
    - igc: Check VLAN EtherType mask
    - netfilter: nf_nat: fix action not being set for all ct states
    - virtio_net: avoid data-races on dev->stats fields
    - mm: convert DAX lock/unlock page to lock/unlock folio
    - mm/memory-failure: pass the folio and the page to collect_procs()
    - tcp: derive delack_max from rto_min
    - bpftool: Fix -Wcast-qual warning
    - bpftool: Align output skeleton ELF code
    - crypto: xts - use 'spawn' for underlying single-block cipher
    - crypto: qat - fix double free during reset
    - crypto: hisilicon/qm - fix EQ/AEQ interrupt issue
    - vfio/mtty: Overhaul mtty interrupt handling
    - clk: si521xx: Increase stack based print buffer size in probe
    - RDMA/mlx5: Fix mkey cache WQ flush
    - rcu: Break rcu_node_0 --> &rq->__lock order
    - rcu: Introduce rcu_cpu_online()
    - rcu/tasks: Handle new PF_IDLE semantics
    - rcu/tasks-trace: Handle new PF_IDLE semantics
    - KVM: s390: vsie: fix wrong VIR 37 when MSO is used
    - dmaengine: ti: k3-psil-am62: Fix SPI PDMA data
    - dmaengine: ti: k3-psil-am62a: Fix SPI PDMA data
    - iio: imu: adis16475: use bit numbers in assign_bit()
    - iommu/vt-d: Support enforce_cache_coherency only for empty domains
    - phy: mediatek: mipi: mt8183: fix minimal supported frequency
    - phy: sunplus: return negative error code in sp_usb_phy_probe
    - clk: rockchip: rk3128: Fix aclk_peri_src's parent
    - clk: rockchip: rk3128: Fix SCLK_SDMMC's clock name
    - drm/i915: Call intel_pre_plane_updates() also for pipes getting enabled
    - drm/amd/display: Increase num voltage states to 40
    - cxl: Add cxl_decoders_committed() helper
    - cxl/core: Always hold region_rwsem while reading poison lists
    - kernel/resource: Increment by align value in get_free_mem_region()
    - drm/amd/display: Increase frame warning limit with KASAN or KCSAN in dml
    - dmaengine: idxd: Protect int_handle field in hw descriptor
    - RISCV: KVM: update external interrupt atomically for IMSIC swfile
    - powerpc/pseries/vas: Migration suspend waits for no in-progress open 
windows
    - net: prevent mss overflow in skb_segment()
    - cxl/pmu: Ensure put_device on pmu devices
    - net: libwx: fix memory leak on free page
    - net: constify sk_dst_get() and __sk_dst_get() argument
    - mm/mglru: skip special VMAs in lru_gen_look_around()
    - cxl: Add cxl_num_decoders_committed() usage to cxl_test
    - cxl/hdm: Fix a benign lockdep splat
    - cxl/memdev: Hold region_rwsem during inject and clear poison ops

  * kvm: Running perf against qemu processes results in page fault inside guest
    (LP: #2054218) // Mantic update: upstream stable patchset 2024-02-26
    (LP: #2054779)
    - KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL

  * smb: wsize blocks of bytes followed with binary zeros on copy, destroying
    data (LP: #2049634)
    - smb: Fix regression in writes when non-standard maximum write size
      negotiated

  * CVE-2024-1085
    - netfilter: nf_tables: check if catch-all set element is active in next
      generation

  * move_mount mediation does not detect if source is detached (LP: #2052662)
    - apparmor: Fix move_mount mediation by detecting if source is detached

  * CVE-2023-46838
    - xen-netback: don't produce zero-size SKB frags

  * CVE-2024-1086
    - netfilter: nf_tables: reject QUEUE/DROP verdict parameters

  * Validate connection interval to pass Bluetooth Test Suite (LP: #2052005)
    - Bluetooth: Enforce validation on max value of connection interval

  * Sound: Add rtl quirk of M70-Gen5 (LP: #2051947)
    - ALSA: hda/realtek: Enable headset mic on Lenovo M70 Gen5

  * Fix spurious wakeup caused by Cirque touchpad (LP: #2051896)
    - HID: i2c-hid: Remove I2C_HID_QUIRK_SET_PWR_WAKEUP_DEV quirk
    - HID: i2c-hid: Renumber I2C_HID_QUIRK_ defines
    - HID: i2c-hid: Skip SET_POWER SLEEP for Cirque touchpad on system suspend

  * Mantic update: upstream stable patchset 2024-02-09 (LP: #2052792)
    - ksmbd: switch to use kmemdup_nul() helper
    - ksmbd: add support for read compound
    - ksmbd: fix wrong interim response on compound
    - ksmbd: fix `force create mode' and `force directory mode'
    - ksmbd: Fix one kernel-doc comment
    - ksmbd: add missing calling smb2_set_err_rsp() on error
    - ksmbd: remove experimental warning
    - ksmbd: remove unneeded mark_inode_dirty in set_info_sec()
    - ksmbd: fix passing freed memory 'aux_payload_buf'
    - ksmbd: return invalid parameter error response if smb2 request is invalid
    - ksmbd: check iov vector index in ksmbd_conn_write()
    - ksmbd: fix race condition with fp
    - ksmbd: fix race condition from parallel smb2 logoff requests
    - ksmbd: fix race condition between tree conn lookup and disconnect
    - ksmbd: fix wrong error response status by using set_smb2_rsp_status()
    - ksmbd: fix Null pointer dereferences in ksmbd_update_fstate()
    - ksmbd: fix potential double free on smb2_read_pipe() error path
    - ksmbd: Remove unused field in ksmbd_user struct
    - ksmbd: reorganize ksmbd_iov_pin_rsp()
    - ksmbd: fix kernel-doc comment of ksmbd_vfs_setxattr()
    - ksmbd: fix missing RDMA-capable flag for IPoIB device in
      ksmbd_rdma_capable_netdev()
    - ksmbd: add support for surrogate pair conversion
    - ksmbd: no need to wait for binded connection termination at logoff
    - ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked()
    - ksmbd: prevent memory leak on error return
    - ksmbd: separately allocate ci per dentry
    - ksmbd: move oplock handling after unlock parent dir
    - ksmbd: release interim response after sending status pending response
    - ksmbd: move setting SMB2_FLAGS_ASYNC_COMMAND and AsyncId
    - ksmbd: don't update ->op_state as OPLOCK_STATE_NONE on error
    - ksmbd: set epoch in create context v2 lease
    - ksmbd: set v2 lease capability
    - ksmbd: downgrade RWH lease caching state to RH for directory
    - ksmbd: send v2 lease break notification for directory
    - ksmbd: lazy v2 lease break on smb2_write()
    - ksmbd: avoid duplicate opinfo_put() call on error of 
smb21_lease_break_ack()
    - ksmbd: fix wrong allocation size update in smb2_open()
    - linux/export: Ensure natural alignment of kcrctab array
    - block: renumber QUEUE_FLAG_HW_WC
    - platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe
    - mm/filemap: avoid buffered read/write race to read inconsistent data
    - mm: migrate high-order folios in swap cache correctly
    - mm/memory-failure: cast index to loff_t before shifting it
    - mm/memory-failure: check the mapcount of the precise page
    - ring-buffer: Fix wake ups when buffer_percent is set to 100
    - tracing: Fix blocked reader of snapshot buffer
    - NFSD: fix possible oops when nfsd/pool_stats is closed.
    - Revert "platform/x86: p2sb: Allow p2sb_bar() calls during PCI device 
probe"
    - fs: cifs: Fix atime update check
    - linux/export: Fix alignment for 64-bit ksymtab entries
    - mptcp: refactor sndbuf auto-tuning
    - mptcp: fix possible NULL pointer dereference on close
    - mptcp: fix inconsistent state on fastopen race
    - platform/x86/intel/pmc: Add suspend callback
    - platform/x86/intel/pmc: Allow reenabling LTRs
    - platform/x86/intel/pmc: Move GBE LTR ignore to suspend callback
    - selftests: secretmem: floor the memory size to the multiple of page_size
    - Revert "nvme-fc: fix race between error recovery and creating association"
    - ftrace: Fix modification of direct_function hash while in use
    - Upstream stable to v6.1.71, v6.6.10

  * Mantic update: upstream stable patchset 2024-02-06 (LP: #2052499)
    - kasan: disable kasan_non_canonical_hook() for HW tags
    - bpf: Fix prog_array_map_poke_run map poke update
    - ARM: dts: dra7: Fix DRA7 L3 NoC node register size
    - ARM: OMAP2+: Fix null pointer dereference and memory leak in
      omap_soc_device_init
    - reset: Fix crash when freeing non-existent optional resets
    - s390/vx: fix save/restore of fpu kernel context
    - wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock
    - wifi: mac80211: check if the existing link config remains unchanged
    - wifi: mac80211: mesh: check element parsing succeeded
    - wifi: mac80211: mesh_plink: fix matches_local logic
    - Revert "net/mlx5e: fix double free of encap_header in update funcs"
    - Revert "net/mlx5e: fix double free of encap_header"
    - net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list()
    - net/mlx5: Re-organize mlx5_cmd struct
    - net/mlx5e: Fix a race in command alloc flow
    - net/mlx5e: fix a potential double-free in fs_udp_create_groups
    - net/mlx5: Fix fw tracer first block check
    - net/mlx5e: Correct snprintf truncation handling for fw_version buffer
    - net/mlx5e: Correct snprintf truncation handling for fw_version buffer used
      by representors
    - net: mscc: ocelot: fix eMAC TX RMON stats for bucket 256-511 and above
    - octeontx2-pf: Fix graceful exit during PFC configuration failure
    - net: Return error from sk_stream_wait_connect() if sk_wait_event() fails
    - net: sched: ife: fix potential use-after-free
    - ethernet: atheros: fix a memleak in atl1e_setup_ring_resources
    - net/rose: fix races in rose_kill_by_device()
    - Bluetooth: Fix deadlock in vhci_send_frame
    - Bluetooth: hci_event: shut up a false-positive warning
    - net: mana: select PAGE_POOL
    - net: check vlan filter feature in vlan_vids_add_by_dev() and
      vlan_vids_del_by_dev()
    - afs: Fix the dynamic root's d_delete to always delete unused dentries
    - afs: Fix dynamic root lookup DNS check
    - net: check dev->gso_max_size in gso_features_check()
    - keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry
    - afs: Fix overwriting of result of DNS query
    - afs: Fix use-after-free due to get/remove race in volume tree
    - ASoC: hdmi-codec: fix missing report for jack initial status
    - ASoC: fsl_sai: Fix channel swap issue on i.MX8MP
    - i2c: aspeed: Handle the coalesced stop conditions with the start 
conditions.
    - x86/xen: add CPU dependencies for 32-bit build
    - pinctrl: at91-pio4: use dedicated lock class for IRQ
    - gpiolib: cdev: add gpio_device locking wrapper around gpio_ioctl()
    - nvme-pci: fix sleeping function called from interrupt context
    - interconnect: Treat xlate() returning NULL node as an error
    - iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw
    - Input: ipaq-micro-keys - add error handling for devm_kmemdup
    - scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
    - iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time 
table
    - iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma()
    - iio: triggered-buffer: prevent possible freeing of wrong buffer
    - ALSA: usb-audio: Increase delay in MOTU M quirk
    - usb-storage: Add quirk for incorrect WP on Kingston DT Ultimate 3.0 G3
    - wifi: cfg80211: Add my certificate
    - wifi: cfg80211: fix certs build to not depend on file order
    - USB: serial: ftdi_sio: update Actisense PIDs constant names
    - USB: serial: option: add Quectel EG912Y module support
    - USB: serial: option: add Foxconn T99W265 with new baseline
    - USB: serial: option: add Quectel RM500Q R13 firmware support
    - ALSA: hda/realtek: Add quirk for ASUS ROG GV302XA
    - Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent
    - Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE
    - Bluetooth: Add more enc key size check
    - net: usb: ax88179_178a: avoid failed operations when device is 
disconnected
    - Input: soc_button_array - add mapping for airplane mode button
    - net: 9p: avoid freeing uninit memory in p9pdu_vreadf
    - net: rfkill: gpio: set GPIO direction
    - net: ks8851: Fix TX stall caused by TX buffer overrun
    - dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp
    - smb: client: fix OOB in cifsd when receiving compounded resps
    - smb: client: fix potential OOB in cifs_dump_detail()
    - smb: client: fix OOB in SMB2_query_info_init()
    - drm/i915: Reject async flips with bigjoiner
    - 9p: prevent read overrun in protocol dump tracepoint
    - btrfs: zoned: no longer count fresh BG region as zone unusable
    - ubifs: fix possible dereference after free
    - ublk: move ublk_cancel_dev() out of ub->mutex
    - selftests: mptcp: join: fix subflow_send_ack lookup
    - Revert "scsi: aacraid: Reply queue mapping to CPUs based on IRQ affinity"
    - scsi: core: Always send batch on reset or error handling command
    - tracing / synthetic: Disable events after testing in
      synth_event_gen_test_init()
    - dm-integrity: don't modify bio's immutable bio_vec in integrity_metadata()
    - pinctrl: starfive: jh7100: ignore disabled device tree nodes
    - bus: ti-sysc: Flush posted write only after srst_udelay
    - gpio: dwapb: mask/unmask IRQ when disable/enale it
    - lib/vsprintf: Fix %pfwf when current node refcount == 0
    - thunderbolt: Fix memory leak in margining_port_remove()
    - KVM: arm64: vgic: Simplify kvm_vgic_destroy()
    - KVM: arm64: vgic: Add a non-locking primitive for kvm_vgic_vcpu_destroy()
    - KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy
    - x86/alternatives: Sync core before enabling interrupts
    - mm/damon/core: make damon_start() waits until kdamond_fn() starts
    - wifi: cfg80211: fix CQM for non-range use
    - wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x)
    - mm/damon/core: use number of passed access sampling as a timer
    - btrfs: qgroup: iterate qgroups without memory allocation for
      qgroup_reserve()
    - btrfs: qgroup: use qgroup_iterator in qgroup_convert_meta()
    - btrfs: free qgroup pertrans reserve on transaction abort
    - drm/i915: Fix FEC state dump
    - drm/i915: Introduce crtc_state->enhanced_framing
    - drm/i915/edp: don't write to DP_LINK_BW_SET when using rate select
    - drm: Fix FD ownership check in drm_master_check_perm()
    - platform/x86/intel/pmc: Fix hang in pmc_core_send_ltr_ignore()
    - SUNRPC: Revert 5f7fc5d69f6e92ec0b38774c387f5cf7812c5806
    - wifi: ieee80211: don't require protected vendor action frames
    - wifi: mac80211: don't re-add debugfs during reconfig
    - wifi: mac80211: check defragmentation succeeded
    - ice: fix theoretical out-of-bounds access in ethtool link modes
    - bpf: syzkaller found null ptr deref in unix_bpf proto add
    - net/mlx5e: Fix overrun reported by coverity
    - net/mlx5e: XDP, Drop fragmented packets larger than MTU size
    - net/mlx5: Refactor mlx5_flow_destination->rep pointer to vport num
    - net/mlx5e: Fix error code in mlx5e_tc_action_miss_mapping_get()
    - net/mlx5e: Fix error codes in alloc_branch_attr()
    - net: mscc: ocelot: fix pMAC TX RMON stats for bucket 256-511 and above
    - Bluetooth: Fix not notifying when connection encryption changes
    - Bluetooth: hci_core: Fix hci_conn_hash_lookup_cis
    - bnxt_en: do not map packet buffers twice
    - net: phy: skip LED triggers on PHYs on SFP modules
    - ice: stop trashing VF VSI aggregator node ID information
    - ice: Fix PF with enabled XDP going no-carrier after reset
    - net: ethernet: mtk_wed: fix possible NULL pointer dereference in
      mtk_wed_wo_queue_tx_clean()
    - drm/i915/hwmon: Fix static analysis tool reported issues
    - drm/i915/mtl: Fix HDMI/DP PLL clock selection
    - i2c: qcom-geni: fix missing clk_disable_unprepare() and
      geni_se_resources_off()
    - drm/amdgpu: re-create idle bo's PTE during VM state machine reset
    - interconnect: qcom: sm8250: Enable sync_state
    - scsi: ufs: qcom: Return ufs_qcom_clk_scale_*() errors in
      ufs_qcom_clk_scale_notify()
    - scsi: ufs: core: Let the sq_lock protect sq_tail_slot access
    - iio: kx022a: Fix acceleration value scaling
    - iio: adc: imx93: add four channels for imx93 adc
    - iio: imu: adis16475: add spi_device_id table
    - iio: tmag5273: fix temperature offset
    - ARM: dts: Fix occasional boot hang for am3 usb
    - wifi: mt76: fix crash with WED rx support enabled
    - ASoC: tas2781: check the validity of prm_no/cfg_no
    - usb: typec: ucsi: fix gpio-based orientation detection
    - usb: fotg210-hcd: delete an incorrect bounds test
    - net: avoid build bug in skb extension length calculation
    - nfsd: call nfsd_last_thread() before final nfsd_put()
    - ring-buffer: Fix 32-bit rb_time_read() race with rb_time_cmpxchg()
    - ring-buffer: Remove useless update to write_stamp in rb_try_to_discard()
    - ring-buffer: Fix slowpath of interrupted event
    - spi: atmel: Do not cancel a transfer upon any signal
    - spi: atmel: Prevent spi transfers from being killed
    - spi: atmel: Fix clock issue when using devices with different polarities
    - nvmem: brcm_nvram: store a copy of NVRAM content
    - pinctrl: starfive: jh7110: ignore disabled device tree nodes
    - x86/alternatives: Disable interrupts and sync when optimizing NOPs in 
place
    - x86/smpboot/64: Handle X2APIC BIOS inconsistency gracefully
    - spi: cadence: revert "Add SPI transfer delays"
    - Upstream stable to v6.1.70, v6.6.9

  * Mantic update: upstream stable patchset 2024-02-01 (LP: #2051924)
    - r8152: add vendor/device ID pair for D-Link DUB-E250
    - r8152: add vendor/device ID pair for ASUS USB-C2500
    - ext4: fix warning in ext4_dio_write_end_io()
    - ksmbd: fix memory leak in smb2_lock()
    - afs: Fix refcount underflow from error handling race
    - HID: lenovo: Restrict detection of patched firmware only to USB cptkbd
    - net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work
    - net: ipv6: support reporting otherwise unknown prefix flags in 
RTM_NEWPREFIX
    - qca_debug: Prevent crash on TX ring changes
    - qca_debug: Fix ethtool -G iface tx behavior
    - qca_spi: Fix reset behavior
    - bnxt_en: Fix wrong return value check in bnxt_close_nic()
    - bnxt_en: Fix HWTSTAMP_FILTER_ALL packet timestamp logic
    - atm: solos-pci: Fix potential deadlock on &cli_queue_lock
    - atm: solos-pci: Fix potential deadlock on &tx_queue_lock
    - net: fec: correct queue selection
    - octeontx2-af: fix a use-after-free in rvu_nix_register_reporters
    - octeontx2-pf: Fix promisc mcam entry action
    - octeontx2-af: Update RSS algorithm index
    - iavf: Introduce new state machines for flow director
    - iavf: Handle ntuple on/off based on new state machines for flow director
    - qed: Fix a potential use-after-free in qed_cxt_tables_alloc
    - net: Remove acked SYN flag from packet in the transmit queue correctly
    - net: ena: Destroy correct number of xdp queues upon failure
    - net: ena: Fix xdp drops handling due to multibuf packets
    - net: ena: Fix XDP redirection error
    - stmmac: dwmac-loongson: Make sure MDIO is initialized before use
    - sign-file: Fix incorrect return values check
    - vsock/virtio: Fix unsigned integer wrap around in
      virtio_transport_has_space()
    - dpaa2-switch: fix size of the dma_unmap
    - dpaa2-switch: do not ask for MDB, VLAN and FDB replay
    - net: stmmac: Handle disabled MDIO busses from devicetree
    - net: atlantic: fix double free in ring reinit logic
    - cred: switch to using atomic_long_t
    - fuse: dax: set fc->dax to NULL in fuse_dax_conn_free()
    - ALSA: hda/hdmi: add force-connect quirk for NUC5CPYB
    - ALSA: hda/hdmi: add force-connect quirks for ASUSTeK Z170 variants
    - ALSA: hda/realtek: Apply mute LED quirk for HP15-db
    - PCI: loongson: Limit MRRS to 256
    - ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE
    - drm/mediatek: Add spinlock for setting vblank event in atomic_begin
    - x86/hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM
    - usb: aqc111: check packet for fixup for true limit
    - stmmac: dwmac-loongson: Add architecture dependency
    - [Config] updateconfigs for DWMAC_LOONGSON
    - blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock
      required!"
    - blk-cgroup: bypass blkcg_deactivate_policy after destroying
    - bcache: avoid oversize memory allocation by small stripe_size
    - bcache: remove redundant assignment to variable cur_idx
    - bcache: add code comments for bch_btree_node_get() and
      __bch_btree_node_alloc()
    - bcache: avoid NULL checking to c->root in run_cache_set()
    - nbd: fold nbd config initialization into nbd_alloc_config()
    - nvme-auth: set explanation code for failure2 msgs
    - nvme: catch errors from nvme_configure_metadata()
    - selftests/bpf: fix bpf_loop_bench for new callback verification scheme
    - LoongArch: Add dependency between vmlinuz.efi and vmlinux.efi
    - LoongArch: Implement constant timer shutdown interface
    - platform/x86: intel_telemetry: Fix kernel doc descriptions
    - HID: glorious: fix Glorious Model I HID report
    - HID: add ALWAYS_POLL quirk for Apple kb
    - nbd: pass nbd_sock to nbd_read_reply() instead of index
    - HID: hid-asus: reset the backlight brightness level on resume
    - HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad
    - asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation
    - net: usb: qmi_wwan: claim interface 4 for ZTE MF290
    - arm64: add dependency between vmlinuz.efi and Image
    - HID: hid-asus: add const to read-only outgoing usb buffer
    - btrfs: do not allow non subvolume root targets for snapshot
    - soundwire: stream: fix NULL pointer dereference for multi_link
    - ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS
    - arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify
    - team: Fix use-after-free when an option instance allocation fails
    - drm/amdgpu/sdma5.2: add begin/end_use ring callbacks
    - dmaengine: stm32-dma: avoid bitfield overflow assertion
    - mm/mglru: fix underprotected page cache
    - mm/shmem: fix race in shmem_undo_range w/THP
    - btrfs: free qgroup reserve when ORDERED_IOERR is set
    - btrfs: don't clear qgroup reserved bit in release_folio
    - drm/amdgpu: fix tear down order in amdgpu_vm_pt_free
    - drm/amd/display: Disable PSR-SU on Parade 0803 TCON again
    - drm/i915: Fix remapped stride with CCS on ADL+
    - smb: client: fix NULL deref in asn1_ber_decoder()
    - smb: client: fix OOB in smb2_query_reparse_point()
    - ring-buffer: Fix memory leak of free page
    - tracing: Update snapshot buffer on resize if it is allocated
    - ring-buffer: Do not update before stamp when switching sub-buffers
    - ring-buffer: Have saved event hold the entire event
    - ring-buffer: Fix writing to the buffer with max_data_size
    - ring-buffer: Fix a race in rb_time_cmpxchg() for 32 bit archs
    - ring-buffer: Do not try to put back write_stamp
    - ring-buffer: Have rb_time_cmpxchg() set the msb counter too
    - net/mlx5e: Honor user choice of IPsec replay window size
    - net/mlx5e: Ensure that IPsec sequence packet number starts from 1
    - RDMA/mlx5: Send events from IB driver about device affiliation state
    - net/mlx5e: Disable IPsec offload support if not FW steering
    - net/mlx5e: TC, Don't offload post action rule if not supported
    - net/mlx5: Nack sync reset request when HotPlug is enabled
    - net/mlx5e: Check netdev pointer before checking its net ns
    - net/mlx5: Fix a NULL vs IS_ERR() check
    - bnxt_en: Fix skb recycling logic in bnxt_deliver_skb()
    - net/sched: act_ct: Take per-cb reference to tcf_ct_flow_table
    - octeon_ep: explicitly test for firmware ready value
    - octeontx2-af: Fix pause frame configuration
    - iavf: Fix iavf_shutdown to call iavf_remove instead iavf_close
    - net: ena: Fix DMA syncing in XDP path when SWIOTLB is on
    - net: stmmac: dwmac-qcom-ethqos: Fix drops in 10M SGMII RX
    - cred: get rid of CONFIG_DEBUG_CREDENTIALS
    - [Config] updateconfigs for DEBUG_CREDENTIALS
    - HID: i2c-hid: Add IDEA5002 to i2c_hid_acpi_blacklist[]
    - HID: Add quirk for Labtec/ODDOR/aikeec handbrake
    - fuse: share lookup state between submount and its parent
    - io_uring/cmd: fix breakage in SOCKET_URING_OP_SIOC* implementation
    - PCI/ASPM: Add pci_enable_link_state_locked()
    - PCI: vmd: Fix potential deadlock when enabling ASPM
    - drm/mediatek: fix kernel oops if no crtc is found
    - drm/i915/selftests: Fix engine reset count storage for multi-tile
    - drm/i915: Use internal class when counting engine resets
    - selftests/mm: cow: print ksft header before printing anything else
    - rxrpc: Fix some minor issues with bundle tracing
    - nbd: factor out a helper to get nbd_config without holding 'config_lock'
    - nbd: fix null-ptr-dereference while accessing 'nbd->config'
    - LoongArch: Record pc instead of offset in la_abs relocation
    - LoongArch: Silence the boot warning about 'nokaslr'
    - HID: mcp2221: Set driver data before I2C adapter add
    - HID: mcp2221: Allow IO to start during probe
    - HID: apple: add Jamesdonkey and A3R to non-apple keyboards list
    - nfc: virtual_ncidev: Add variable to check if ndev is running
    - scripts/checkstack.pl: match all stack sizes for s390
    - cxl/hdm: Fix dpa translation locking
    - Revert "selftests: error out if kernel header files are not yet built"
    - drm/mediatek: Fix access violation in mtk_drm_crtc_dma_dev_get
    - mm/mglru: try to stop at high watermarks
    - mm/mglru: respect min_ttl_ms with memcgs
    - mm/mglru: reclaim offlined memcgs harder
    - btrfs: fix qgroup_free_reserved_data int overflow
    - drm/edid: also call add modes in EDID connector update fallback
    - drm/i915: Fix ADL+ tiled plane stride when the POT stride is smaller than
      the original
    - drm/i915: Fix intel_atomic_setup_scalers() plane_state handling
    - smb: client: fix potential OOBs in smb2_parse_contexts()
    - x86/speculation, objtool: Use absolute relocations for annotations
    - RDMA/mlx5: Change the key being sent for MPV device affiliation
    - Upstream stable to v6.1.69, v6.6.8

  * CVE-2023-50431
    - accel/habanalabs: fix information leak in sec_attest_info()

  * CVE-2024-22705
    - ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16()

 -- Roxana Nicolescu <roxana.nicole...@canonical.com>  Thu, 07 Mar 2024
17:27:48 +0100

** Changed in: linux (Ubuntu Mantic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-46838

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-50431

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-1085

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-1086

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-22705

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-23850

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-23851

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26597

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-26599

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2049634

Title:
  smb: wsize blocks of bytes followed with binary zeros on copy,
  destroying data

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2049634/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to